[Snort-users] ICMP rules from "ICMP tools" article and false positives.

Ofir Arkin ofir at ...949...
Thu Jan 4 22:21:10 EST 2001

Hi Vitaly,

I am responsible for this :)

Seems the HPING2 rule is VERY generic so it matches a lot of traffic.
I can offer u to make it a more generic rule stating "Ping with 8 bytes of
data only..." Instead of "HPING2...".

I am working on tuning them a bit more. TOS for example and when MF DF and
Unused bits will be available (probably soon) even more.

Hope this helps.

Ofir Arkin
ofir at ...949...
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Vitaly McLain
Sent: Wednesday, January 03, 2001 8:53 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ICMP rules from "ICMP tools" article and false


Is anyone using the rules from that one ICMP article (I know the author
reads this list); the ones that detect ICMP-crafting tools like SING? The
reason I am asking is that I am getting TONS of false positives. And by
tons, I mean a _LOT_. The worst one of the bunch seems to be the "HPING2
Linux/*BSD" rule: Napster 'pings' (or so I assume) make it go off each time.
In about 1 hour of Napster use, Snort alerted me with this rule over 100
times! :(

Anyone else experiencing this, or has anyone hacked these rules, etc? Just
curious, because they are good rules, but the false positives are just too
great on some of them.

Vitaly McLain
twistah at ...93...
twistah @ OPN & EfNet
"If you don't turn on to politics, politics will turn on you."
       - Ralph Nader

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:

More information about the Snort-users mailing list