[Snort-users] [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems]

Max Vision vision at ...4...
Sun May 6 22:43:54 EDT 2001


On Mon, 7 May 2001, Fyodor wrote:
> On Sun, May 06, 2001 at 03:14:51PM -0400, Edwin Chiu wrote:
> > Is there a snort signature for these packets? From what I remember, I don't
> > think snort 1.7 can do it... what about 1.8?
> >
Snort 1.7 supports icmp_seq and icmp_id...

intrusion events that use the icmp_seq number:
 IDS178/Ping CyberCop55 (18467)
 IDS182/ddos-tfn-server-response (0)
 IDS183/ddos-tfn-client-command-le (0)
 IDS184/ddos-tfn-client-command-be (0)
 IDS449/ping-Nemesis v1.1 Echo (0)
 IDS450/ping-icmpenum v1.1.1 (0)

intrusion events that use icmp_id:
 IDS182/ddos-tfn-server-response (123)
 IDS183/ddos-tfn-client-command-le (51201)
 IDS184/ddos-tfn-client-command-be (456)
 IDS190/ddos-stacheldraht client-check (666)
 IDS191/ddos-stacheldraht server-response (667)
 IDS192/ddos-stacheldraht client-spoofworks (1000)
 IDS193/ddos-stacheldraht server-spoof (666)
 IDS194/ddos-stacheldraht client-check-gag (39938)
 IDS195/ddos-stacheldraht server-response-gag (669)
 IDS425/ddos-tfn2k-icmp_possible_communication (0)
 IDS443/ddos-tfn-probe (678)
 IDS449/ping-Nemesis v1.1 Echo (0)
 IDS450/ping-icmpenum v1.1.1 (666)
 IDS486/ping-Sentinel Etherping (31337)

Max






More information about the Snort-users mailing list