[Snort-sigs] A question on ethernet padding

Jeremy Hoel jthoel at ...2420...
Thu Jan 23 14:54:19 EST 2014


I was wondering kind of the same question.. in regards to those new
ICMP rules.  NetApps doing have any ICMP data, just the main requests,
but there seems to always be 10 bytes |00| in what wireshark calls
padding, and I'm curious if I can write the rule around that.

On Thu, Jan 23, 2014 at 4:07 PM, James Lay <jlay at ...3266...> wrote:
> Does snort treat ethernet padding as data?  Wireshark shows that I have
> 1 byte of data in a packet after my ethernet and ip headers.  My
> ethernet header, normally 14 bytes, includes 17 bytes of Padding.  Does
> snort consider the padding as data?  Trying to figure out what offset
> and depth to use on this rule.  Hope I'm explaining this well..thanks
> all.
>
> James
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list