[Snort-users] Re: Rules that fire on bad checksums?
william.metcalf at ...11827...
Wed Sep 8 20:17:04 EDT 2004
Ummmmm, you could replace your snort IDS which you know and love. Or
you could apply the patch attached below. I was feeling nice and had
an extra 5 minutes so I whipped this up for 2.2.0 users out there.
Victor Julien and I are working on adding this into snort_inline
anyhow. This should apply cleanly to snort-2.2.0 and give you the
alerting you desire.
On Wed, 8 Sep 2004 22:12:48 -0400, Richard Bejtlich
<taosecurity at ...11827...> wrote:
> Glenn Forbes Fleming Larratt wrote:
> tcpdump will make noise when an IP or embedded protocol checksum is bad.
> I cannot find anything in the Snort manual that would alert on that
> condition - is there any such thing, either in the rules or in a plugin?
> You might consider looking at Vern Paxson's open source Bro IDS
> (http://bro-ids.org/). The Bro manual index shows several ways to
> catch bad checksums in various headers.  For example:
> # checksum error, ICMP: Events handled by conn_weird
> # checksum error, IP: Events handled by net_weird
> # checksum error, TCP: Events handled by conn_weird
> # checksum error, UDP: Events handled by conn_weird
> Bro excels at detecting these sort of odd packet features.
> I recently exchanged emails with a Bro developer who claims a lot of
> work is being done to make Bro easier to deploy and manage. I think
> the new Web site and Wiki are evidence this is happening. 
> My book describes how to set up Bro using Chris Manders' BRA scripts. 
>  http://bro-ids.org/Bro-reference-manual/Index.html
>  http://www.icir.org/twiki/bin/view/Bro/WebHome
>  http://www.baylinks.com/~cmanders/projects/bra.html and
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Snort-users