[Snort-users] Backdoor-Q-icmp

Fernando Cardoso fernando at ...498...
Fri Sep 29 06:09:31 EDT 2000


Hi all

I've just downloaded the latest vision.conf sig file. As soon as I restarted
snort with the new sig lots of Backdoor-Q-icmp alerts appeared. I've checked
the logs and they are legitimate traffic (one of my watchdogs pinging my
upstream router and getting the ECHO_REPLY).

After checcking old and new rulesets I found out that Max changed this rule:

snort.ruleset.new:alert ICMP $EXTERNAL any -> $INTERNAL any (msg:
"IDS202/backdoor-Q-icmp"; dsize: >1; itype: 0;)
snort.ruleset.old:alert ICMP 255.255.255.0/24 any -> $INTERNAL any (msg:
"IDS202/backdoor-Q-icmp"; itype: 0; dsize: >1;)

Any good reason for this changing or should I stick with the old
255.255.255.0/24?

Fernando


_________________________________________________________
Fernando Cardoso			Phone:	+351 21 7982186
Network Administrator		Fax:		+351 21 7982185
National Library			E-mail:	fernando at ...498...
Portugal				PGP ID:	28551CB8 



More information about the Snort-users mailing list