[Snort-users] MISC Large ICMP Packet

shawn . moyer shawn at ...1184...
Sat Apr 7 19:48:59 EDT 2001


Aaron McKinnon wrote:
 
> Shawn,
> 
> That's a great idea! Would you be kind enough to copy that line and 
> send it to the group (or just me...)?
 
I'd suggest instead tuning the rule to match your needs (grep for the
alert message in your snort rules, and read Marty's doc on the website
about writing rules, and inspect the packets that are generating the
alerts), rather than just using what worked for me.

As Jan said, what works for one setup might not be right for everyone.
In my case, I use VPN encapsulation for a couple of things and big
MTU's, so the extra padding the encapsulation added was causing the rule
to trigger a lot, which required me to tune the rule to match my setup.

In my case I needed to tweak dsize: param to 1100 to stop the false
positives inside my network, but that might be totally invalid for
someone else. 

As with any IDS, the default ruleset is designed to work well for
general use, and is just a starting point. There's no one ruleset that
works for everybody, so tuning things to match your network's setup is a
big part of getting this stuff to work for you.





--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
                             -- Ted Turner





> -----------------------------------
> Aaron McKinnon
> System Administrator
> Fullerene Productions, Inc.
> 3250 Wilshire Blvd. Suite 2000
> Los Angeles, CA 90010
> 213.365.1692
> -----------------------------------
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of shawn .
> moyer
> Sent: Thursday, April 05, 2001 12:12 PM
> To: Aaron McKinnon
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] MISC Large ICMP Packet
> 
> Aaron McKinnon wrote:
> >
> > Getting lots of these:
> >
> > [**] MISC Large ICMP Packet [**]
> > 04/04-10:08:22.879950 208.223.170.122 -> 208.158.118.4
> > ICMP TTL:245 TOS:0x0 ID:14913 IpLen:20 DgmLen:1500 DF
> > Type:8  Code:0  ID:39612   Seq:57072  ECHO
> >
> > This machine is a web server. As best I can tell from some research this
> is
> > nothing to worry about. Does anyone see a reason why I shouldn't disable
> > this rule?
> 
> I noticed this rule firing a lot as well -- rather than disable it I
> increased the dsize: setting in the rule to larger than the legitimate
> packets that were triggering the rule.
> 
> --shawn
> 
> --
> 
> s h a w n   m o y e r
> shawn at ...1184...
> 
> "Nuclear war would really set back cable."
>                              -- Ted Turner
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list