[Snort-sigs] A question on ethernet padding

Jeremy Hoel jthoel at ...2420...
Thu Jan 23 15:20:18 EST 2014


So there you go.. I was trying various offsets and depths and didn't
seem to get it.  But I'll try that.  Thanks!


BTW - Should that be part of the rule?  Since you wouldn't want those
to fire if they had 0 data?



On Thu, Jan 23, 2014 at 8:17 PM, James Lay <jlay at ...3266...> wrote:
> On 2014-01-23 12:54, Jeremy Hoel wrote:
>>
>> I was wondering kind of the same question.. in regards to those new
>> ICMP rules.  NetApps doing have any ICMP data, just the main requests,
>> but there seems to always be 10 bytes |00| in what wireshark calls
>> padding, and I'm curious if I can write the rule around that.
>>
>> On Thu, Jan 23, 2014 at 4:07 PM, James Lay <jlay at ...3266...>
>> wrote:
>>>
>>> Does snort treat ethernet padding as data?  Wireshark shows that I have
>>> 1 byte of data in a packet after my ethernet and ip headers.  My
>>> ethernet header, normally 14 bytes, includes 17 bytes of Padding.  Does
>>> snort consider the padding as data?  Trying to figure out what offset
>>> and depth to use on this rule.  Hope I'm explaining this well..thanks
>>> all.
>>>
>>> James
>
>
> An end around around to NOT see these can be to add dsize:>1; to your
> rule...should nuke out these zero data pings.
>
> James
>




More information about the Snort-sigs mailing list