[Snort-users] icmp.rules

Clifford, Shawn A shawn.a.clifford at ...178...
Tue Apr 17 14:08:16 EDT 2001


I meant for this to go in my last post as well.

The rule in 'icmp.rules' whose msg is: "ICMP Nmap2.36BETA or HPING2 Echo "
is triggered by icmp pings from Perl's Net::Ping module.

The following code will illustrate this on your snort box:

#!/usr/local/bin/perl
#
#  icmp_ping.pl
#

use Net::Ping;

if ($> != 0) {
   die "You must be 'root' to use icmp ping\n";
}

#
#  Create a ping object:  ICMP protocoal w/ 2 second timeout.
#
$p = Net::Ping->("icmp", 2);

foreach $node (@ARGV) {
	print "Pinging ", $node, " ... ";
	print scalar(localtime()), " : $node is ";
	print "NOT " unless $p->ping($node);
	print "reachable.\n";
}

To test:  ./icmp_ping.pl <snort_host>

Check your alert file.

Should "Perl" be added to the msg string?

-- Shawn




More information about the Snort-users mailing list