[Snort-users] Re: Rules that fire on bad checksums?
taosecurity at ...11827...
Wed Sep 8 19:13:04 EDT 2004
Glenn Forbes Fleming Larratt wrote:
tcpdump will make noise when an IP or embedded protocol checksum is bad.
I cannot find anything in the Snort manual that would alert on that
condition - is there any such thing, either in the rules or in a plugin?
You might consider looking at Vern Paxson's open source Bro IDS
(http://bro-ids.org/). The Bro manual index shows several ways to
catch bad checksums in various headers.  For example:
# checksum error, ICMP: Events handled by conn_weird
# checksum error, IP: Events handled by net_weird
# checksum error, TCP: Events handled by conn_weird
# checksum error, UDP: Events handled by conn_weird
Bro excels at detecting these sort of odd packet features.
I recently exchanged emails with a Bro developer who claims a lot of
work is being done to make Bro easier to deploy and manage. I think
the new Web site and Wiki are evidence this is happening. 
My book describes how to set up Bro using Chris Manders' BRA scripts. 
 http://www.baylinks.com/~cmanders/projects/bra.html and
More information about the Snort-users