[Snort-sigs] A question on ethernet padding

James Lay jlay at ...3266...
Thu Jan 23 15:17:07 EST 2014

On 2014-01-23 12:54, Jeremy Hoel wrote:
> I was wondering kind of the same question.. in regards to those new
> ICMP rules.  NetApps doing have any ICMP data, just the main 
> requests,
> but there seems to always be 10 bytes |00| in what wireshark calls
> padding, and I'm curious if I can write the rule around that.
> On Thu, Jan 23, 2014 at 4:07 PM, James Lay <jlay at ...3266...> 
> wrote:
>> Does snort treat ethernet padding as data?  Wireshark shows that I 
>> have
>> 1 byte of data in a packet after my ethernet and ip headers.  My
>> ethernet header, normally 14 bytes, includes 17 bytes of Padding.  
>> Does
>> snort consider the padding as data?  Trying to figure out what 
>> offset
>> and depth to use on this rule.  Hope I'm explaining this 
>> well..thanks
>> all.
>> James

An end around around to NOT see these can be to add dsize:>1; to your 
rule...should nuke out these zero data pings.


More information about the Snort-sigs mailing list