[Snort-users] ICMP rules from "ICMP tools" article and false positives.

Vitaly McLain twistah at ...93...
Wed Jan 3 23:52:37 EST 2001


Hi,

Is anyone using the rules from that one ICMP article (I know the author
reads this list); the ones that detect ICMP-crafting tools like SING? The
reason I am asking is that I am getting TONS of false positives. And by
tons, I mean a _LOT_. The worst one of the bunch seems to be the "HPING2
Linux/*BSD" rule: Napster 'pings' (or so I assume) make it go off each time.
In about 1 hour of Napster use, Snort alerted me with this rule over 100
times! :(

Anyone else experiencing this, or has anyone hacked these rules, etc? Just
curious, because they are good rules, but the false positives are just too
great on some of them.

Vitaly McLain
twistah at ...93...
twistah @ OPN & EfNet
"If you don't turn on to politics, politics will turn on you."
       - Ralph Nader





More information about the Snort-users mailing list