[Snort-users] question about ICMP echo reply (undefinted code) rule
robeb at ...10609...
Thu Nov 20 17:00:02 EST 2003
Matt Kettler wrote:
> At 04:34 PM 11/20/2003, Rob Burris wrote:
>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply
>> (Undefined Code!)"; itype: 0; sid:409; classtype:misc-activity; rev:4;)
>> But isn't this type of ICMP message expected back from the machine
>> that is replying to the request?
> Technically itype 0 icode 0 is expected. itype 0 with any other icode
> is not.
> This rule is really meant to be used in conjunction with SID 408...
> SID 408 picks up the ones with icmp type/code of 0/0, and then 409
> picks up everything else.
Ok that makes sense, but then shouldn't snort log the message with SID
408 instead of SID 409? If I ping yahoo.com snort logs the alert as SID
409. Why would yahoo.com reply with a invalid or undefined icmp message?
|[**] ICMP Echo Reply (Undefined Code!)
ICMP TTL:243 TOS:0 ID:48631 IpLen:5 DgmLen:84
Type:0 Code:0 ID: Seq:|
More information about the Snort-users