[Snort-sigs] Problem with icmp_seq

Jamie Riden jamie.riden at ...2420...
Wed Nov 25 06:22:15 EST 2009


icmp_seq refers to the ICMP sequence number, part of the ICMP header,
not the data portion of the packet. Can you send a packet dump so we
can check whether the itype, content and icmp_seq matches actually do
match?

cheers,
 Jamie

2009/11/25 sofia insat <sofia.insat at ...174...>
>
> Hi,
>
> I have to verify with an hexadecimal icmp sequence that have this value "beef"
> so I have written this rule :
> alert icmp any any -> any any (msg:"----------- ICMPv6 : echo request -----------"; itype:128; content: "AAA"; icmp_seq: beef; sid:1000001;)
> but It does not detect a packet that have this icmp sequence
>
> How can I resolve this problem
>
> Thanks



--
Jamie Riden / jamesr at ...3216... / jamie at ...3294...
http://www.ukhoneynet.org/members/jamie/




More information about the Snort-sigs mailing list