[Snort-users] Rules that fire on bad checksums?

Chris Green cmg at ...671...
Wed Sep 8 10:48:36 EDT 2004


Martin Roesch <roesch at ...1935...> writes:

> You'd need to write a detection plugin that checks the status of the
> checksum flags in the packet struct.   Something like:
>
>
> All you need to do is write the badcksum plugin and you'll be all
> set. :)

It might be a bit more invasive than that b/c if it checks checksums
at all, it skips the rule engine entirely.

You'll have to add something that makes all the other rules validate
the checksum by default and then have your badchecksum plugin.  Dunno
how much things have changed but I doubt anyone has tackled that stuff
lately :)

The quickest route for doing that would probably be a preprocessor
that alerted on bad checksums.  

Cheers,
Chris
-- 
Chris Green <cmg at ...1121...>
Warning: time of day goes back, taking countermeasures.





More information about the Snort-users mailing list