[Snort-users] question about ICMP echo reply (undefinted code) rule
mkettler at ...4108...
Thu Nov 20 14:36:02 EST 2003
At 04:34 PM 11/20/2003, Rob Burris wrote:
>alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply
>(Undefined Code!)"; itype: 0; sid:409; classtype:misc-activity; rev:4;)
>But isn't this type of ICMP message expected back from the machine that is
>replying to the request?
Technically itype 0 icode 0 is expected. itype 0 with any other icode is not.
This rule is really meant to be used in conjunction with SID 408... SID 408
picks up the ones with icmp type/code of 0/0, and then 409 picks up
More information about the Snort-users