[Dshield] Communication when emails are being watched

Chris Brenton cbrenton at chrisbrenton.org
Fri Dec 26 00:34:48 GMT 2003


On Wed, 2003-12-24 at 20:01, DAN MORRILL wrote:
>
> alert icmp $External_net any -> $home_net any (msg:"Large ICMP Packet 
> Capture"' content:""; type 8;depth32;classtype:misc-activity-icmp:rev:1;)
> 
> that would capture all type 8 icmp packets with any content.

Actually, if it was me, I would change the existing Snort type 8 sigs
for known OS's to pass rules, _then_ do the above. That will help you to
eliminate a lot of noise from normal Ping traffic.

Just make sure you start Snort with the '-o' switch to process pass
rules first.

>  However, I 
> would most likely want to grab the whole packet, and I am not sure that the 
> rule woulld do this.

Start Snort with the '-d' switch, that tells it to record the
application layer as well. Depending on how many type 8's you have
floating around on your network (i.e. will you see Nachi infected
systems or not), you may also want to use the '-b' switch to save in
binary (readable with tcpdump, windump, Ethereal, etc.). This will
greatly speed up processing.

HTH,
C





More information about the list mailing list