[Snort-users] RE: Rule content question.

Andreas Hasenack andreas at ...1574...
Tue Aug 20 14:13:02 EDT 2002


Em Tue, Aug 20, 2002 at 01:47:58PM -0700, Clint Byrum escreveu:
> I'd say though, that this can probably be tuned out. Is this type of
> traffic really so telling of an "intrusion" ?

The purpose of this rule was to catch ICMP tunnels, if I'm not mistaken.
But it happens that this all-zeros ICMP packets are *really* frequent.





More information about the Snort-users mailing list