-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 5 Dec 2000, Joe Stewart wrote:
> Here is a signature for Snort that will differentiate between the Speedera
> pings and hopefully most *nix pings. (Make sure to put the Speedera signature
> above the *nix and BSD ping signatures in your rules file, since both will
> also match)
>
> alert ICMP any any -> any any (msg:"PING Speedera"; content: "|3839 3a3b 3c3d
> 3e3f|"; depth: 100; itype: 8; )
I know this is a little bit old now, but I have had this rule in my
ruleset (custom based on the 09262k ruleset) for a week or so and it does
not differentiate properly. I assume there must be some other product out
there doing the same type of thing... perhaps somebody with some more
snort knowledge would like to come up with a rule for this one? ;)
Name: magic.cybercon.com
Address: 64.37.65.194
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] PING *NIX Type [**]
12/20-10:53:28.400588 64.37.65.194 -> 63.87.101.XX
ICMP TTL:55 TOS:0x0 ID:40914
ID:15885 Seq:56770 ECHO
08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 ................
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 ()*+,-./01234567
38 39 3A 3B 3C 3D 3E 3F 89:;<=>?
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Thanks a bunch.
Cheers,
Ryan
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW
Guardian Digital, Inc. ryan_at_guardiandigital.com
+-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD4DBQE6QNdOIwAIA9MpKWcRAhnmAJ4r2RsTb2v3VtnqCCTaxnMZZ+137gCYvU4O
W5Hb8zQQX1ti7g1kWe1HPw==
=qBu6
-----END PGP SIGNATURE-----
Received on Dec 20 2000
Intro
