[Snort-users] Snort rule regarding L3Retriever Ping
athomas at ...3539...
Tue Mar 19 20:31:02 EST 2002
There was a question regarding the below rule: (but didnt find any
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype:
8; icode: 0; depth: 32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
Is there any particular reason for this alert ??
The lone fact that content has "ABCD..." does 'nt require much attention,
and such a rule might cause false alarms, correct ?
Pls correct me if i am wrong.
More information about the Snort-users