[Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..

Jeff Kell jeff-kell at ...6282...
Wed Dec 31 18:43:00 EST 2003

Brice B wrote:
>  would you mind telling us how you set it to alert only internal 
> Cyberkit/Nachi ping attempts? Did you use thresholding?

Can anyone verify the [non]existance of a difference between the 
Cyberkit and Nachi pings?  Not having Cyberkit myself, I can only
address Nachi.  The frame is 106 bytes on the wire, 92 bytes in the IP 
packet, and 64 bytes of 0xaa in the ICMP data payload.

If Cyberkit is anything but 64 bytes of 0xaa payload, perhaps a new, 
Nachi-specific rule is called for.


More information about the Snort-users mailing list