[Snort-users] Re: Rules that fire on bad checksums?

Will Metcalf william.metcalf at ...11827...
Wed Sep 8 20:17:04 EDT 2004

Ummmmm, you could replace your snort IDS which you know and love. Or
you could apply the patch attached below.  I was feeling nice and had
an extra 5 minutes so I whipped this up for 2.2.0 users out there. 
Victor Julien and I are working on adding this into snort_inline
anyhow.  This should apply cleanly to snort-2.2.0 and give you the
alerting you desire.



On Wed, 8 Sep 2004 22:12:48 -0400, Richard Bejtlich
<taosecurity at ...11827...> wrote:
> Glenn Forbes Fleming Larratt wrote:
> tcpdump will make noise when an IP or embedded protocol checksum is bad.
> I cannot find anything in the Snort manual that would alert on that
> condition - is there any such thing, either in the rules or in a plugin?
> --
> You might consider looking at Vern Paxson's open source Bro IDS
> (http://bro-ids.org/).  The Bro manual index shows several ways to
> catch bad checksums in various headers. [0]  For example:
> # checksum error, ICMP: Events handled by conn_weird
> # checksum error, IP: Events handled by net_weird
> # checksum error, TCP: Events handled by conn_weird
> # checksum error, UDP: Events handled by conn_weird
> Bro excels at detecting these sort of odd packet features.
> I recently exchanged emails with a Bro developer who claims a lot of
> work is being done to make Bro easier to deploy and manage.  I think
> the new Web site and Wiki are evidence this is happening.  [1]
> My book describes how to set up Bro using Chris Manders' BRA scripts.  [2]
> Sincerely,
> Richard
> http://www.taosecurity.com
> [0] http://bro-ids.org/Bro-reference-manual/Index.html
> [1] http://www.icir.org/twiki/bin/view/Bro/WebHome
> [2] http://www.baylinks.com/~cmanders/projects/bra.html and
> http://www.taosecurity.com/books.html
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 2.2.0-checksumalerts.diff
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040908/dff090ac/attachment.ksh>

More information about the Snort-users mailing list