[Snort-users] normal vs. malicious icmp echo

Erik Fichtner emf at ...367...
Wed May 5 20:58:01 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, May 05, 2004 at 10:25:42PM -0500, Mario Guerendo wrote:
> I just wanted to know if anybody had a snort rule available that would
> differentiate a normal ICMP echo ping from a malicious one?
> If so, would you be willing to share it?

per RFC3514 [1], the following should work:

alert icmp any any -> any any (msg: "Evil ICMP Ping"; itype:8; fragbits: -M; fragoffset: >4095;)


Though, to be fully RFC3514 compliant, you might want to start your
snort instance with a pcap filter specified on the command line like:
	snort $ARGS 'ip[6] & 32 != 0'


[1] ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt

PLEASE read the RFC before you use this. 

- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAmbeUQ7EzrewLMS0RApdCAKC1J4o6pft8c8//UmYd3ryPRUuifwCgszyv
/7g9j4eYgYEeEdubMGNdKvQ=
=qXLq
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list