[Snort-sigs] A question on ethernet padding
jlay at ...3266...
Thu Jan 23 15:26:14 EST 2014
On 2014-01-23 13:20, Jeremy Hoel wrote:
> So there you go.. I was trying various offsets and depths and didn't
> seem to get it. But I'll try that. Thanks!
> BTW - Should that be part of the rule? Since you wouldn't want those
> to fire if they had 0 data?
> On Thu, Jan 23, 2014 at 8:17 PM, James Lay <jlay at ...3266...>
>> On 2014-01-23 12:54, Jeremy Hoel wrote:
>>> I was wondering kind of the same question.. in regards to those new
>>> ICMP rules. NetApps doing have any ICMP data, just the main
>>> but there seems to always be 10 bytes |00| in what wireshark calls
>>> padding, and I'm curious if I can write the rule around that.
>>> On Thu, Jan 23, 2014 at 4:07 PM, James Lay
>>> <jlay at ...3266...>
>>>> Does snort treat ethernet padding as data? Wireshark shows that I
>>>> 1 byte of data in a packet after my ethernet and ip headers. My
>>>> ethernet header, normally 14 bytes, includes 17 bytes of Padding.
>>>> snort consider the padding as data? Trying to figure out what
>>>> and depth to use on this rule. Hope I'm explaining this
>> An end around around to NOT see these can be to add dsize:>1; to
>> rule...should nuke out these zero data pings.
Yea..I've been making specific rules to match standard ping types that
are anomalous, and then a catch all rule. Here's my catch all so far:
alert icmp any any -> any any (msg:"Unusual PING detected"; icode:0;
itype:8; fragbits:!M; ttl:>10; dsize:>5;
classtype:bad-unknown; sid:10000119; rev:4;)
It's been a neat exercise seeing how I can hone it to fire on just
what's weird, not what's usual.
More information about the Snort-sigs