Re: [Fwd: Several Misbehaviors with the ICMP implementation (and the 'ping'utility) with MS based operating systems]

[Max Vision <vision () whitehats com>]

On Mon, 7 May 2001, Fyodor wrote:
> On Sun, May 06, 2001 at 03:14:51PM -0400, Edwin Chiu wrote:
> > Is there a snort signature for these packets? From what I remember, I don't
> > think snort 1.7 can do it... what about 1.8?
Snort 1.7 supports icmp_seq and icmp_id...

intrusion events that use the icmp_seq number:
 IDS178/Ping CyberCop55 (18467)
 IDS182/ddos-tfn-server-response (0)
 IDS183/ddos-tfn-client-command-le (0)
 IDS184/ddos-tfn-client-command-be (0)
 IDS449/ping-Nemesis v1.1 Echo (0)
 IDS450/ping-icmpenum v1.1.1 (0)

intrusion events that use icmp_id:
 IDS182/ddos-tfn-server-response (123)
 IDS183/ddos-tfn-client-command-le (51201)
 IDS184/ddos-tfn-client-command-be (456)
 IDS190/ddos-stacheldraht client-check (666)
 IDS191/ddos-stacheldraht server-response (667)
 IDS192/ddos-stacheldraht client-spoofworks (1000)
 IDS193/ddos-stacheldraht server-spoof (666)
 IDS194/ddos-stacheldraht client-check-gag (39938)
 IDS195/ddos-stacheldraht server-response-gag (669)
 IDS425/ddos-tfn2k-icmp_possible_communication (0)
 IDS443/ddos-tfn-probe (678)
 IDS449/ping-Nemesis v1.1 Echo (0)
 IDS450/ping-icmpenum v1.1.1 (666)
 IDS486/ping-Sentinel Etherping (31337)

Max



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users