Snort mailing list archives
Re: geting this rule to work
From: Akinwale Fasuru <fashman2k1 () yahoo com>
Date: Fri, 30 Nov 2012 13:37:22 -0800 (PST)
Hello, Here is what i came up with: alert icmp any any -> any any (msg:"Traceroute command attempted"; itype:<30; icode:<30; ttl:<30; sid:1000007) it seem to work. But i need to write same rule for Windows OS, is it going to be the same thing or what needs to be changed? Wale --- On Thu, 11/29/12, Giles Coochey <giles () coochey net> wrote:
From: Giles Coochey <giles () coochey net> Subject: Re: [Snort-users] geting this rule to work To: snort-users () lists sourceforge net Date: Thursday, November 29, 2012, 2:33 PM On 29/11/2012 20:27, Jeremy Hoel wrote:Your rule is for all IP traffic, not just ICMPtraffic.. then itlooks for any packet with a ttl <3 and it triggers. Try changing the rule for just icmp, then you can tweakit even moreso with ICMP types and codes, not just ttl. There is (was? I use pp so i forget) a ICMP.rules filesthat you canlook at for examples.Don't most Unices use UDP for traceroute? -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles () coochey net -----Inline Attachment Follows----- ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net -----Inline Attachment Follows----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: TUNE You got it built. Now make it sing. Tune shows you how. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- geting this rule to work Akinwale Fasuru (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Giles Coochey (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Marcos Rodriguez (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Giles Coochey (Nov 29)
- Re: geting this rule to work Marcos Rodriguez (Nov 29)
- Re: geting this rule to work waldo kitty (Nov 29)
- Re: geting this rule to work Akinwale Fasuru (Nov 30)
- Re: geting this rule to work JJC (Dec 01)
- Re: geting this rule to work waldo kitty (Dec 01)
- Re: geting this rule to work Jeremy Hoel (Dec 02)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- <Possible follow-ups>
- Re: geting this rule to work Y M (Nov 29)