Snort mailing list archives
Re: geting this rule to work
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 29 Nov 2012 20:43:03 +0000
You can use udp for traceroute, but i didn't think it was the default, because you would also have to specify a port right? On Thu, Nov 29, 2012 at 8:33 PM, Giles Coochey <giles () coochey net> wrote:
On 29/11/2012 20:27, Jeremy Hoel wrote:Your rule is for all IP traffic, not just ICMP traffic.. then it looks for any packet with a ttl <3 and it triggers. Try changing the rule for just icmp, then you can tweak it even more so with ICMP types and codes, not just ttl. There is (was? I use pp so i forget) a ICMP.rules files that you can look at for examples.Don't most Unices use UDP for traceroute? -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles () coochey net ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- geting this rule to work Akinwale Fasuru (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Giles Coochey (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Marcos Rodriguez (Nov 29)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- Re: geting this rule to work Giles Coochey (Nov 29)
- Re: geting this rule to work Marcos Rodriguez (Nov 29)
- Re: geting this rule to work waldo kitty (Nov 29)
- Re: geting this rule to work Akinwale Fasuru (Nov 30)
- Re: geting this rule to work JJC (Dec 01)
- Re: geting this rule to work waldo kitty (Dec 01)
- Re: geting this rule to work Jeremy Hoel (Dec 02)
- Re: geting this rule to work Jeremy Hoel (Nov 29)
- <Possible follow-ups>
- Re: geting this rule to work Y M (Nov 29)