Snort mailing list archives
Re: RE: Rule content question.
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 21 Aug 2002 14:22:40 -0400
What lack of replies? I made a couple of suggestions for this one... were the limitations unacceptable?
You are correct however that there is *no* way whatsoever in snort rules to detect that a packet contains *all* 00's. all you can do is exclude those with lots of 00's. But there are a lot of other things that can be done to make up for this limit and have a reasonably accurate rule.
Other improvements to my rule below could also be to make the content search have offset and depth restrictions. This way you could alert for any ICMP message whose body doesn't start with 00's. It still would fail to detect large ICMP packets starting with a bunch of 00's and then containing nonzero data, but it's pretty close to what you want and gives you a rule that is mostly usable.
re-quote: What about this? (sid changed to a local-rules sid range)alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP nonzero Large ICMP Packet"; dsize: >800;content:! "|00|00|00|00|00|00|00|00|"; classtype:bad-unknown; sid:1000008; rev:1;)
Admittedly it only detects 8 00 bytes before deciding to ignore the packet, but you can expand it to more to reduce the false-negative rate.
Given your request for this, I take it you're trying to ignore AIX MTU probes, which use large pings of 00's.
Your other option, a little better, is to have a pass rule which passes ICMP echo's with the don't fragment bit set and contents of a whole pile of zero's, then leave the original rule intact. This way you have a lesser chance of passing things other than the AIX probes.
At 03:35 PM 8/20/2002 -0400, larosa, vjay wrote:
I guess from the lack of replies there is no way for me to accomplish this. vjl
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule content question. larosa, vjay (Aug 16)
- <Possible follow-ups>
- Re: Rule content question. Matt Kettler (Aug 16)
- RE: Rule content question. larosa, vjay (Aug 20)
- Re: RE: Rule content question. Clint Byrum (Aug 20)
- Re: RE: Rule content question. Andreas Hasenack (Aug 20)
- Re: RE: Rule content question. Phil Wood (Aug 20)
- Re: RE: Rule content question. Clint Byrum (Aug 20)
- Re: RE: Rule content question. Matt Kettler (Aug 21)