Snort mailing list archives
Snort IPS mode couldn't detect the fragmented icmp packet.
From: arulgobinath emmanuel <arulgobi () gmail com>
Date: Thu, 15 Jul 2010 13:09:04 +0530
Hi, I'm testing Snort in IPS mode [ Version 2.8.6 (Build 38) inline ], i try to drop the icmp packets with following rule : *drop icmp any any -> any any (msg:"testing icmp found";sid:1000002;)* but when i ping with defaul packet size value snort is dropping properly 07/15-13:03:32.195730 [Drop] [**] [1:1000002:0] testing icmp found [**] [Priority: 0] {ICMP} 203.xx.xx.xx -> 203.xx.xx.xx But when i increase the packet side i can ping without any problem,
ping 203.xx.xx.xx -l 1500
Pinging 203.xx.xx.xx with 1500 bytes of data: Reply from 203.xx.xx.xx: bytes=1500 time=3ms TTL=64 Is it a problem with fragmented packet handling ? any configuration changes I've to do / suggestion to overcome this issue. Thanks in advance, Ragu.
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort IPS mode couldn't detect the fragmented icmp packet. arulgobinath emmanuel (Jul 15)