[Snort-users] icmp.rules

Brian Caswell bmc at ...312...
Tue Apr 17 14:49:59 EDT 2001

"Clifford, Shawn A" wrote:
> The rule in 'icmp.rules' whose msg is: "ICMP Nmap2.36BETA or HPING2 Echo "
> is triggered by icmp pings from Perl's Net::Ping module.

> Should "Perl" be added to the msg string?

I would think... No.  Most of the time, that type of ping is only seen by nmap
or hping2.  I can craft those packets with libnet, nemesis, and a whistle
(PPP, phone, 300 baud? ... nevermind)  

The reason that rule states nmap or hping is because those are the USUAL tool
that triggers those rules.  


More information about the Snort-users mailing list