[Snort-users] How to catch a ICMP packet based on content.

Errit Müller ejm at ...4674...
Thu Jan 24 12:45:10 EST 2002


Hi all

Can someone please help me create a rule that will alert if the ICMP packet
contains a special patter like "hallo" or something like that.
Have tryed the following but it did not work.
alert icmp any any -> any any (msg:"Hallo in packet"; content: "hallo";
reference:arachnids,449; classtype:attempted-recon; sid:467; rev:1;)

Brgds /Errit






More information about the Snort-users mailing list