Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: valid ICMP traffic

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 02 Dec 2004 16:08:05 -0500
At 04:29 AM 12/2/2004, support wrote:
My snort is very much working fine with really good results. But a small query
* I suppose snort should not detect normal ICMP traffic ( ie of ping to any IP of 32 K ) since it's a valid traffic. But I my case it does detect such traffic which I do not to detected. 
Kindly let me know how to get out of this.
You probably just want to avoid using all of icmp-info.rules, and may want to modify some of the other icmp rules.
From my perspective, while a 32kb ping is valid, it's also highly suspicious, and certainly NOT normal. Many backdoors communicate via large pings, hence it being suspicious.
Really, if you're only looking to detect truly invalid input, and not merely suspicious traffic, then 90% or more of the snort ruleset isn't for you. Most attacks are "valid" traffic, but are outside the norm. Most snort rules pick up on this. A 32kb ping packet is certainly abnormal. 





-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: