Hosting Provided By

[Snort-sigs] Proposed change to icmp-info.rules

From: Jim Breton <vader(at)conflict.net>
Date: Wed May 28 2003 - 14:01:39 EDT

This change attempts to accomplish two things:

Adds a rule to identify Windows's ICMP traceroute;
Moves the ICMP Ping rule below the generic ICMP traceroute rule (which,

AFAICT, would never be triggered with the original rule ordering).

rules.orig/icmp-info.rules Wed May 21 04:15:32 2003
+++ rules/icmp-info.rules Wed May 21 05:33:16 2003
@@ -30,8 +30,9 @@ alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; content:"|88042020202020202020202020202020|"; itype:8; depth:32; reference:arachnids,166; sid:380; classtype:misc-activity; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; sid:381; classtype:misc-activity; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: 16; reference:arachnids,169; sid:382; classtype:misc-activity; rev:4;) -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; itype: 8; icode: 0; sid:384; classtype:misc-activity; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute Windows"; ttl:1; itype: 8; content: "|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth: 32; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ";ttl:1;itype:8; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:2;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; itype: 8; icode: 0; sid:384; classtype:misc-activity; rev:4;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; itype: 18; icode: 0; sid:386; classtype:misc-activity; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply (Undefined Code!)"; itype: 18; sid:387; classtype:misc-activity; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; itype: 17; icode: 0; sid:388; classtype:misc-activity; rev:4;)

-- 

Jim B.
vader@conflict.net


-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Thu May 29 09:03:36 2003

This message: [ Message body ]
Next message: Nate Haggard: "[Snort-sigs] Re: Signatures related to POP3 overflow attempt"
Previous message: Faiz Ahmad Shuja: "[Snort-sigs] Detecting Connections"
In reply to rmkml: "[Snort-sigs] Submitt new rules"
Next in thread: Jim Breton: "[Snort-sigs] Re: Proposed change to icmp-info.rules"
Reply: Jim Breton: "[Snort-sigs] Re: Proposed change to icmp-info.rules"
Reply: Brian: "Re: [Snort-sigs] Proposed change to icmp-info.rules"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT