[Snort-users] tcpdump - showing data size
netsec9 at ...125...
Tue Oct 1 15:17:16 EDT 2002
I have recently set up SNORT with the basic signatures and as a side effect
have discovered that our Risc server seems to be sending out a bunch of icmp
echo request traffic. I am trying to narrow down the destination hosts to
give our Unix admin more info to determine the source of the requests (app,
cron, etc.). The rule that is triggering the alert in SNORT is 'Large ICMP
packet' which is defined by the rule:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IMCP Large ICMP Packet";
dsize: > 800;
I can tell from the Snort logs that the risc box is initiating the echo
requests. I am running 'tcpdump icmp=8' on the Risc server and I am
wanting to narrow the capture down to the packets that are triggering the
alerts (ie > 800). How do I display the packet size? Is dsize synonymous
with bytes ie. > 800 bytes? I have tried the -v operator but it doesn't
really show much.
Any help is appreciated.
Chat with friends online, try MSN Messenger: http://messenger.msn.com
More information about the Snort-users