[Snort-users] Rule content question.

Matt Kettler mkettler at ...4108...
Fri Aug 16 10:14:01 EDT 2002

What about this? (sid changed to a local-rules sid range)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP nonzero Large ICMP 
dsize: >800;content:! "|00|00|00|00|00|00|00|00|"; classtype:bad-unknown; 
sid:1000008; rev:1;)

Admittedly it only detects 8 00 bytes before deciding to ignore the packet, 
but you can expand it to more to reduce the false-negative rate.

Given your request for this, I take it you're trying to ignore AIX MTU 
probes, which use large pings of 00's.

Your other option, a little better, is to have a pass rule which passes 
ICMP echo's with the don't fragment bit set and contents of a whole pile of 
zero's, then leave the original rule intact. This way you have a lesser 
chance of passing things other than the AIX probes.

At 12:01 PM 8/16/2002 -0400, larosa, vjay wrote:
>I have a rule content question for the list,
>I seem to have a lot of happy packet generators on my network. No matter
>what I tell these people they always
>think they can some how get by me. I am finally giving up, I want to change
>the following rule,
>alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet";
>dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
>to ignore any ICMP packet that has a payload of all 00's. I am trying to
>figure out how I can mangle
>this rule to not trigger on these packets. These packets are all varying in
>size as well. Does anybody have
>any good idea? Thanks!

More information about the Snort-users mailing list