[Snort-users] RE: Rule content question.
cbyrum at ...6660...
Tue Aug 20 13:50:04 EDT 2002
On Tue, Aug 20, 2002 at 03:35:34PM -0400, larosa, vjay wrote:
> > I seem to have a lot of happy packet generators on my network. No matter
> > what I tell these people they always
> > think they can some how get by me. I am finally giving up, I want to
> > change the following rule,
> > alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP
> > Packet";
> > dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499;
> > rev:3;)
> > to ignore any ICMP packet that has a payload of all 00's. I am trying to
> > figure out how I can mangle
You *could* use a pass rule before this one to allow specific harmless
all-zero pings through.
I'd say though, that this can probably be tuned out. Is this type of
traffic really so telling of an "intrusion" ?
More information about the Snort-users