[Snort-users] Snort rule regarding L3Retriever Ping

Brian bmc at ...950...
Wed Mar 20 08:30:03 EST 2002


According to Ashley Thomas:
> There was a question regarding the below rule: (but didnt find any
> replies)
> 
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; 
>  content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
>  reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
> 
> Is there any particular reason for this alert ??

Yeap, someone was using this tool to scan your network.  

To ME, this isn't that important, but others may find it important to
look at.

-brian




More information about the Snort-users mailing list