[Snort-users] question about ICMP echo reply (undefinted code) rule

Matt Kettler mkettler at ...4108...
Thu Nov 20 14:36:02 EST 2003


At 04:34 PM 11/20/2003, Rob Burris wrote:
>alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply 
>(Undefined Code!)"; itype: 0; sid:409; classtype:misc-activity; rev:4;)
>
>But isn't this type of ICMP message expected back from the machine that is 
>replying to the request?

Technically itype 0 icode 0 is expected. itype 0 with any other icode is not.

This rule is really meant to be used in conjunction with SID 408... SID 408 
picks up the ones with icmp type/code of 0/0, and then 409 picks up 
everything else.









More information about the Snort-users mailing list