[Snort-users] geting this rule to work

JJC cummingsj at ...11827...
Sat Dec 1 09:23:51 EST 2012


My best suggestion after all of this, capture the packets that you want to detect (using wireshark or tcpdump) and review them using wireshark so that you understand them, then begin to write your rule(s) for detection.

Sent from my iPad

On Nov 30, 2012, at 15:37, Akinwale Fasuru <fashman2k1 at ...131...> wrote:

> Hello,
> 
> Here is what i came up with:
> alert icmp any any -> any any (msg:"Traceroute command attempted"; itype:<30; icode:<30; ttl:<30; sid:1000007)
> it seem to work.
> But i need to write same rule for Windows OS, is it going to be the same thing or what needs to be changed?
> 
> Wale
> 
> 
> 
> 
> --- On Thu, 11/29/12, Giles Coochey <giles at ...9346...> wrote:
> 
>> From: Giles Coochey <giles at ...9346...>
>> Subject: Re: [Snort-users] geting this rule to work
>> To: snort-users at lists.sourceforge.net
>> Date: Thursday, November 29, 2012, 2:33 PM
>> On 29/11/2012 20:27, Jeremy Hoel
>> wrote:
>>> Your rule is for all IP traffic, not just ICMP
>> traffic..  then it
>>> looks for any packet with a ttl <3 and it triggers.
>>> 
>>> Try changing the rule for just icmp, then you can tweak
>> it even more
>>> so with ICMP types and codes, not just ttl.
>>> 
>>> There is (was? I use pp so i forget) a ICMP.rules files
>> that you can
>>> look at for examples.
>>> 
>>> 
>> Don't most Unices use UDP for traceroute?
>> 
>> -- 
>> Regards,
>> 
>> Giles Coochey, CCNA, CCNAS
>> NetSecSpec Ltd
>> +44 (0) 7983 877438
>> http://www.coochey.net
>> http://www.netsecspec.co.uk
>> giles at ...9346...
>> 
>> 
>> 
>> -----Inline Attachment Follows-----
>> 
>> ------------------------------------------------------------------------------
>> Keep yourself connected to Go Parallel: 
>> VERIFY Test and improve your parallel project with help from
>> experts 
>> and peers. http://goparallel.sourceforge.net
>> -----Inline Attachment Follows-----
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> 
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel: 
> TUNE You got it built. Now make it sing. Tune shows you how.
> http://goparallel.sourceforge.net
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list