Network Security: Detailed info on Re: [Snort-sigs] New rule for detect "ICMP DoS HOD brute force"

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Snort-Signatures

[Top] [All Lists]

Re: [Snort-sigs] New rule for detect "ICMP DoS HOD brute force"

from [rmkml] Network Security

[Permanent Link]

Subject:	Re: [Snort-sigs] New rule for detect "ICMP DoS HOD brute force"
Date:	Wed, 12 Oct 2005 21:36:18 +0200 (CEST)

Hi Alex,

A rule that provides essentially identical detection to what you're proposing here (it does not look for the content, but as you note the content is not necessarily worth keeping) already exists as SID 404. While it's in icmp-info.rules, the tool referenced here generates 65536 packets in roughly 1-2 seconds; since Snort alerts on each of those packets, I'm pretty sure that anyone who saw that many alerts appearing that quickly would realize that some sort of attack was under way.


please drop my submit rule.
Thx
Rmkml


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] New rule for detect "ICMP DoS HOD brute force", rmkml Re: [Snort-sigs] New rule for detect "ICMP DoS HOD brute force", Alex Kirk Re: [Snort-sigs] New rule for detect "ICMP DoS HOD brute force", rmkml <=

Previous by Date:	[Snort-sigs] Re: [Snort-devel] Call for all Snort Projects, Jeff Nathan
Next by Date:	[Snort-sigs] Warning: flowbits keys (not) set/checked (Trojan Bot/Sasser rules), Ellen L Mitchell
Previous by Thread:	Re: [Snort-sigs] New rule for detect "ICMP DoS HOD brute force", Alex Kirk
Next by Thread:	[Snort-sigs] New rules (2) for detect Hydra brute force auth, rmkml
Indexes:	[Date] [Thread] [Top] [All Lists]