[Dshield] Snort question: IPflags ?

Josh Tolley josh at raintreeinc.com
Mon Sep 22 16:31:59 GMT 2003


Stephane Grobety wrote:

>Hello,
>
>Does anyone know how I can setup SNORT to log the IP flags of some/all
>of it's ICMP packet dumps ?
>
I know it's not exactly what you're looking for, but could you not start 
tcpdump on an appropriate box looking for "icmp and ip[6] & 0xE0 != 0" 
?  If my tcpdump rule writing is correct, that should show you any ICMP 
where there are flags set (the 0xE0 would mask out everything except the 
3 flag bits). You could correlate that output with snort logs....

>I could, of course, decode it manually,
>but as you can see, I'm a bit too lazy to do that ;)
>
...so this might not do you any good after all *grin*

Josh Tolley




More information about the list mailing list