[Snort-users] Re: Rules that fire on bad checksums?

Richard Bejtlich taosecurity at ...11827...
Wed Sep 8 19:13:04 EDT 2004

Glenn Forbes Fleming Larratt wrote:

tcpdump will make noise when an IP or embedded protocol checksum is bad.

I cannot find anything in the Snort manual that would alert on that
condition - is there any such thing, either in the rules or in a plugin?


You might consider looking at Vern Paxson's open source Bro IDS
(http://bro-ids.org/).  The Bro manual index shows several ways to
catch bad checksums in various headers. [0]  For example:

# checksum error, ICMP: Events handled by conn_weird
# checksum error, IP: Events handled by net_weird
# checksum error, TCP: Events handled by conn_weird
# checksum error, UDP: Events handled by conn_weird

Bro excels at detecting these sort of odd packet features.

I recently exchanged emails with a Bro developer who claims a lot of
work is being done to make Bro easier to deploy and manage.  I think
the new Web site and Wiki are evidence this is happening.  [1]

My book describes how to set up Bro using Chris Manders' BRA scripts.  [2]



[0] http://bro-ids.org/Bro-reference-manual/Index.html
[1] http://www.icir.org/twiki/bin/view/Bro/WebHome
[2] http://www.baylinks.com/~cmanders/projects/bra.html and

More information about the Snort-users mailing list