[Dshield] Snort question: IPflags ?
josh at raintreeinc.com
Mon Sep 22 16:31:59 GMT 2003
Stephane Grobety wrote:
>Does anyone know how I can setup SNORT to log the IP flags of some/all
>of it's ICMP packet dumps ?
I know it's not exactly what you're looking for, but could you not start
tcpdump on an appropriate box looking for "icmp and ip & 0xE0 != 0"
? If my tcpdump rule writing is correct, that should show you any ICMP
where there are flags set (the 0xE0 would mask out everything except the
3 flag bits). You could correlate that output with snort logs....
>I could, of course, decode it manually,
>but as you can see, I'm a bit too lazy to do that ;)
...so this might not do you any good after all *grin*
More information about the list