[Snort-users] Rule content question.
larosa_vjay at ...3331...
Fri Aug 16 09:02:07 EDT 2002
I have a rule content question for the list,
I seem to have a lot of happy packet generators on my network. No matter
what I tell these people they always
think they can some how get by me. I am finally giving up, I want to change
the following rule,
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet";
dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
to ignore any ICMP packet that has a payload of all 00's. I am trying to
figure out how I can mangle
this rule to not trigger on these packets. These packets are all varying in
size as well. Does anybody have
any good idea? Thanks!
V.Jay LaRosa EMC Corporation
Information Security 171 South Street
(508)249-3355 office Hopkinton, MA 01748
(508)498-5575 cell www.emc.com
(888-799-9750 pager larosa_vjay at ...3331...
More information about the Snort-users