[Snort-users] normal vs. malicious icmp echo
emf at ...367...
Wed May 5 20:58:01 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, May 05, 2004 at 10:25:42PM -0500, Mario Guerendo wrote:
> I just wanted to know if anybody had a snort rule available that would
> differentiate a normal ICMP echo ping from a malicious one?
> If so, would you be willing to share it?
per RFC3514 , the following should work:
alert icmp any any -> any any (msg: "Evil ICMP Ping"; itype:8; fragbits: -M; fragoffset: >4095;)
Though, to be fully RFC3514 compliant, you might want to start your
snort instance with a pcap filter specified on the command line like:
snort $ARGS 'ip & 32 != 0'
PLEASE read the RFC before you use this.
Principal Engineer, Information Security, ServerVault Corp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
-----END PGP SIGNATURE-----
More information about the Snort-users