[Snort-users] [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems]

Fyodor fygrave at ...121...
Sun May 6 16:12:59 EDT 2001


On Sun, May 06, 2001 at 03:14:51PM -0400, Edwin Chiu wrote:
> Is there a snort signature for these packets? From what I remember, I don't
> think snort 1.7 can do it... what about 1.8?
> 

> -------- Original Message --------
> Subject: Several Misbehaviors with the ICMP implementation (and the
> 'ping'utility) with MS based operating systems
> Date: Thu, 3 May 2001 06:51:26 -0700
> From: Ofir Arkin <ofir at ...1987...>
> Reply-To: Ofir Arkin <ofir at ...1987...>
> To: BUGTRAQ at ...220...
> 
> RFC 792 (Internet Control Message Protocol) suggests how the ICMP Identifier
> field and the ICMP Sequence Number field should be used:
> 

We _CAN_ check ICMP ID ('icmp_id: ...') and ICMP SEQ
('icmp_seq') fields of an ICMP packet, if that was your
question :-> so up to you if you want to craft the rules ;-)






More information about the Snort-users mailing list