[Snort-users] RE: Rule content question.
mkettler at ...4108...
Wed Aug 21 11:23:03 EDT 2002
What lack of replies? I made a couple of suggestions for this one... were
the limitations unacceptable?
You are correct however that there is *no* way whatsoever in snort rules to
detect that a packet contains *all* 00's. all you can do is exclude those
with lots of 00's. But there are a lot of other things that can be done to
make up for this limit and have a reasonably accurate rule.
Other improvements to my rule below could also be to make the content
search have offset and depth restrictions. This way you could alert for any
ICMP message whose body doesn't start with 00's. It still would fail to
detect large ICMP packets starting with a bunch of 00's and then containing
nonzero data, but it's pretty close to what you want and gives you a rule
that is mostly usable.
What about this? (sid changed to a local-rules sid range)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP nonzero Large ICMP
dsize: >800;content:! "|00|00|00|00|00|00|00|00|"; classtype:bad-unknown;
Admittedly it only detects 8 00 bytes before deciding to ignore the packet,
but you can expand it to more to reduce the false-negative rate.
Given your request for this, I take it you're trying to ignore AIX MTU
probes, which use large pings of 00's.
Your other option, a little better, is to have a pass rule which passes
ICMP echo's with the don't fragment bit set and contents of a whole pile of
zero's, then leave the original rule intact. This way you have a lesser
chance of passing things other than the AIX probes.
At 03:35 PM 8/20/2002 -0400, larosa, vjay wrote:
>I guess from the lack of replies there is no way for me to accomplish this.
More information about the Snort-users