[Snort-users] RE: Rule content question.

Clint Byrum cbyrum at ...6660...
Tue Aug 20 13:50:04 EDT 2002


On Tue, Aug 20, 2002 at 03:35:34PM -0400, larosa, vjay wrote:
<snip>
> > I seem to have a lot of happy packet generators on my network. No matter
> > what I tell these people they always
> > think they can some how get by me. I am finally giving up, I want to
> > change the following rule,
> > 
> > alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP
> > Packet"; 
> > dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
> > rev:3;)
> > 
> > to ignore any ICMP packet that has a payload of all 00's. I am trying to
> > figure out how I can mangle

You *could* use a pass rule before this one to allow specific harmless 
all-zero pings through.

I'd say though, that this can probably be tuned out. Is this type of
traffic really so telling of an "intrusion" ?





More information about the Snort-users mailing list