fernando at ...498...
Fri Sep 29 06:09:31 EDT 2000
I've just downloaded the latest vision.conf sig file. As soon as I restarted
snort with the new sig lots of Backdoor-Q-icmp alerts appeared. I've checked
the logs and they are legitimate traffic (one of my watchdogs pinging my
upstream router and getting the ECHO_REPLY).
After checcking old and new rulesets I found out that Max changed this rule:
snort.ruleset.new:alert ICMP $EXTERNAL any -> $INTERNAL any (msg:
"IDS202/backdoor-Q-icmp"; dsize: >1; itype: 0;)
snort.ruleset.old:alert ICMP 255.255.255.0/24 any -> $INTERNAL any (msg:
"IDS202/backdoor-Q-icmp"; itype: 0; dsize: >1;)
Any good reason for this changing or should I stick with the old
Fernando Cardoso Phone: +351 21 7982186
Network Administrator Fax: +351 21 7982185
National Library E-mail: fernando at ...498...
Portugal PGP ID: 28551CB8
More information about the Snort-users