[Snort-users] RE: Rule content question.

Matt Kettler mkettler at ...4108...
Wed Aug 21 11:23:03 EDT 2002

What lack of replies?  I made a couple of suggestions for this one... were 
the limitations unacceptable?

You are correct however that there is *no* way whatsoever in snort rules to 
detect that a packet contains *all* 00's. all you can do is exclude those 
with lots of 00's. But there are a lot of other things that can be done to 
make up for this limit and have a reasonably accurate rule.

Other improvements to my rule below could also be to make the content 
search have offset and depth restrictions. This way you could alert for any 
ICMP message whose body doesn't start with 00's. It still would fail to 
detect large ICMP packets starting with a bunch of 00's and then containing 
nonzero data, but it's pretty close to what you want and gives you a rule 
that is mostly usable.

What about this? (sid changed to a local-rules sid range)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP nonzero Large ICMP 
dsize: >800;content:! "|00|00|00|00|00|00|00|00|"; classtype:bad-unknown; 
sid:1000008; rev:1;)

Admittedly it only detects 8 00 bytes before deciding to ignore the packet, 
but you can expand it to more to reduce the false-negative rate.

Given your request for this, I take it you're trying to ignore AIX MTU 
probes, which use large pings of 00's.

Your other option, a little better, is to have a pass rule which passes 
ICMP echo's with the don't fragment bit set and contents of a whole pile of 
zero's, then leave the original rule intact. This way you have a lesser 
chance of passing things other than the AIX probes.

At 03:35 PM 8/20/2002 -0400, larosa, vjay wrote:
>I guess from the lack of replies there is no way for me to accomplish this.

More information about the Snort-users mailing list