[Snort-users] Problem with version 1.6.2.2 and above...

Thayne thayne_a at ...125...
Thu Jul 20 20:05:48 EDT 2000


Thanx for the reply Marty,

Turning the rule off is not such a problem.  I just thought it peculiar that
it only does this in versions 1.6.2.2 and above, but not 1.6 even though our
1.6 implementation has the exact same rule (alert icmp !$HOME_NET any ->
$HOME_NET any (msg:"IDS162 - PING Nmap2.36BETA";itype:8;dsize:0;)).  And
they are indeed pings with no payload. Just seemed rather odd.

Other than that, 1.6.3-Beta6 seems to be running flawlessly.  Keep up the
good work, and thanks for all your time.

Thayne
fellow snortster

----- Original Message -----
From: Martin Roesch <roesch at ...1...>
To: Guy Bruneau <bruneau at ...126...>
Cc: Thayne Allen <thayne_a at ...125...>; <snort-users at lists.sourceforge.net>
Sent: Thursday, July 20, 2000 8:27 PM
Subject: Re: [Snort-users] Problem with version 1.6.2.2 and above...


> Turn the rule off?  Seriously, you should be able to examine the packet
and
> see if you're getting pings with no payload.  If the rule is incorrect or
> giving false positives due to a bug, we should know about it.
>
> If this alert is annoying for you, just turn the rule off.  Pings can
hardly
> be said to be hostile traffic in the most general case, so this rule
merely
> provides information.
>
>     -Marty
>
> Guy Bruneau wrote:
> >
> > Yes I have noted the same thing here but I don't know of a fix.
> >
> > Guy Bruneau
> >
> > Thayne Allen wrote:
> >
> > > I was just wondering if anyone else was having this problem:
> > >
> > > Whenever I run Snort ver. 1.6.2.2 or 1.6.3-Beta6 on my RedHat box, I
start
> > > getting a plethora of IDS162 - PING Nmap2.36BETA alerts coming from
many
> > > different IP's, going to various IP's on my network.  Whenever I run
1.6
> > > using the exact same ruleset, I don't get these alerts at all.  Is
this a
> > > bug in 1.6.2.2 and above?  Anyone else have this problem or know a
fix?
> > > Thanks,
> > >
> > > fellow snortster
> > >
________________________________________________________________________
> > > Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
>
> --
> Martin Roesch                      <roesch at ...2...>
> Core R&D                         http://www.hiverworld.com
> Hiverworld, Inc.       Continuous Adaptive Risk Management
>




More information about the Snort-users mailing list