[Snort-users] MISC Large ICMP Packet

jan at ...1739... jan at ...1739...
Fri Apr 6 15:59:49 EDT 2001


> That's a great idea! Would you be kind enough to copy that line and
> send it
> to the group (or just me...)?

Actually I'm not sure whether it's a good idea, since I'd still like to
know when some ICMP packet with a payload of 1500 reaches my net and
it's not all zeros - especially considering all the recent buzz about
ICMP tunneling. Some things really scare me. 

I haven't really thought about it yet, but wouldn't it be possible to
write a pass rule for the usual HP-UX and AIX MTU discovery packets, so
you just get alerted on everything else...? Might not be funny though,
a rule with 1500 zeros in it may not be an option :-%

Bye, Jan

-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...




More information about the Snort-users mailing list