[Snort-users] Snort rule regarding L3Retriever Ping

Ashley Thomas athomas at ...3539...
Tue Mar 19 20:31:02 EST 2002


hi,

There was a question regarding the below rule: (but didnt find any
replies)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype:
 8; icode: 0; depth: 32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)

Is there any particular reason for this alert ??

The lone fact that content has "ABCD..." does 'nt require much attention,
right ?
and such a rule might cause false alarms, correct ?

Pls correct me if i am wrong.

cheers
ashley






More information about the Snort-users mailing list