[Snort-users] icmp.rules

Brian Caswell bmc at ...312...
Tue Apr 17 14:49:59 EDT 2001


"Clifford, Shawn A" wrote:
> The rule in 'icmp.rules' whose msg is: "ICMP Nmap2.36BETA or HPING2 Echo "
> is triggered by icmp pings from Perl's Net::Ping module.

> Should "Perl" be added to the msg string?

I would think... No.  Most of the time, that type of ping is only seen by nmap
or hping2.  I can craft those packets with libnet, nemesis, and a whistle
(PPP, phone, 300 baud? ... nevermind)  

The reason that rule states nmap or hping is because those are the USUAL tool
that triggers those rules.  

-brian




More information about the Snort-users mailing list