[Snort-users] Backdoor-Q-icmp

Max Vision vision at ...4...
Fri Sep 29 09:55:42 EDT 2000


Sorry about that - the source addresses are supposed to be
255.255.255.255/32 for each.  They were accidentally changed to $EXTERNAL
during a broad database update.  The current vision.conf reflects the
corrected values (again).

Max

On Fri, 29 Sep 2000, Fernando Cardoso wrote:

> Hi all
> 
> I've just downloaded the latest vision.conf sig file. As soon as I restarted
> snort with the new sig lots of Backdoor-Q-icmp alerts appeared. I've checked
> the logs and they are legitimate traffic (one of my watchdogs pinging my
> upstream router and getting the ECHO_REPLY).
> 
> After checcking old and new rulesets I found out that Max changed this rule:
> 
> snort.ruleset.new:alert ICMP $EXTERNAL any -> $INTERNAL any (msg:
> "IDS202/backdoor-Q-icmp"; dsize: >1; itype: 0;)
> snort.ruleset.old:alert ICMP 255.255.255.0/24 any -> $INTERNAL any (msg:
> "IDS202/backdoor-Q-icmp"; itype: 0; dsize: >1;)
> 
> Any good reason for this changing or should I stick with the old
> 255.255.255.0/24?
> 
> Fernando
> 
> 
> _________________________________________________________
> Fernando Cardoso			Phone:	+351 21 7982186
> Network Administrator		Fax:		+351 21 7982185
> National Library			E-mail:	fernando at ...498...
> Portugal				PGP ID:	28551CB8 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list