[Snort-users] icmp-info.rules

Phil Wood cpw at ...440...
Wed Apr 25 12:32:53 EDT 2001


In the file:
  Version: # $Id: icmp-info.rules,v 1.1 2001/04/20 03:43:51 cazz Exp $

The following rule triggers for normal icmp echo requests:

alert icmp $EXTERNAL any -> $INTERNAL any (msg: "ICMP PING (Undefined Code!)"; itype: 8;)

If the order of the rules means anything, then I'd put that rule at the
end of the list, and pray.  I did that and got "ICMP PING *NIX" which
triggered on a linux default 'ping host -c 1'.

As far as the 26 different "PING" (itype:8) rules, only 2 of them have an
icode of 0 specified.  The rest have no icode specified.  So, the packet
could have an undefined code.

I've taken the set of icmp alert rules and changed them to pass, and only
alert on unknown icmp type/code.  Who needs thousands and thousands of
icmp echo request/replies in the sql database?  You don't have to answer
that question.  I'm sure someone does.

This brings up a thought.  Is it possible now with the most recent cvs
release to define an event type which would end up in the pcap log (-b),
but not get sent to a database (acid)?  Then, you could always go to the
video tape to find an "alert" that you had decided not to enshrine in an sql



(I guess this was a little bit of a ramble)

More information about the Snort-users mailing list