[Snort-users] Backdoor-Q-icmp

Fyodor fygrave at ...121...
Fri Sep 29 17:42:01 EDT 2000


~ :upstream router and getting the ECHO_REPLY).
~ :
~ :After checcking old and new rulesets I found out that Max changed this rule:
~ :
~ :snort.ruleset.new:alert ICMP $EXTERNAL any -> $INTERNAL any (msg:
~ :"IDS202/backdoor-Q-icmp"; dsize: >1; itype: 0;)
~ :snort.ruleset.old:alert ICMP 255.255.255.0/24 any -> $INTERNAL any (msg:
~ :"IDS202/backdoor-Q-icmp"; itype: 0; dsize: >1;)
~ :
~ :Any good reason for this changing or should I stick with the old
~ :255.255.255.0/24?
~ :

 $EXTERNAL looks correct to me.




More information about the Snort-users mailing list