[Snort-users] Rules that fire on bad checksums?

Martin Roesch roesch at ...1935...
Wed Sep 8 07:32:10 EDT 2004


You'd need to write a detection plugin that checks the status of the 
checksum flags in the packet struct.   Something like:

alert ip any any -> any any (badcksum: any; msg: "Bad Checksum 
Detected";)

All you need to do is write the badcksum plugin and you'll be all set. 
:)

      -Marty


On Sep 7, 2004, at 10:51 AM, Glenn Forbes Fleming Larratt wrote:

> tcpdump will make noise when an IP or embedded protocol checksum is 
> bad.
>
> I cannot find anything in the Snort manual that would alert on that
> condition - is there any such thing, either in the rules or in a 
> plugin?
>
> 	-g
>
> 				Glenn Forbes Fleming Larratt
> 				Rice University Networking
> 				glratt at ...604...
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list