[Snort-sigs] Problem with icmp_seq

Jamie Riden jamie.riden at ...2420...
Wed Nov 25 06:22:15 EST 2009

icmp_seq refers to the ICMP sequence number, part of the ICMP header,
not the data portion of the packet. Can you send a packet dump so we
can check whether the itype, content and icmp_seq matches actually do


2009/11/25 sofia insat <sofia.insat at ...174...>
> Hi,
> I have to verify with an hexadecimal icmp sequence that have this value "beef"
> so I have written this rule :
> alert icmp any any -> any any (msg:"----------- ICMPv6 : echo request -----------"; itype:128; content: "AAA"; icmp_seq: beef; sid:1000001;)
> but It does not detect a packet that have this icmp sequence
> How can I resolve this problem
> Thanks

Jamie Riden / jamesr at ...3216... / jamie at ...3294...

More information about the Snort-sigs mailing list