[Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
jeff-kell at ...6282...
Wed Dec 31 18:43:00 EST 2003
Brice B wrote:
> would you mind telling us how you set it to alert only internal
> Cyberkit/Nachi ping attempts? Did you use thresholding?
Can anyone verify the [non]existance of a difference between the
Cyberkit and Nachi pings? Not having Cyberkit myself, I can only
address Nachi. The frame is 106 bytes on the wire, 92 bytes in the IP
packet, and 64 bytes of 0xaa in the ICMP data payload.
If Cyberkit is anything but 64 bytes of 0xaa payload, perhaps a new,
Nachi-specific rule is called for.
More information about the Snort-users