98
Chapter 3 Working with Snort Rules
3.6.10 The icmp_id Keyword
The icmp_id option is used to detect a particular ID used with ICMP packet. Refer
to Appendix C for ICMP header information. The general format for using this key
word is as follows:
icmp_id:
An ICMP identified field is found in ICMP ECHO REQUEST and ICMP ECHO
REPLY messages as discussed in RFC 792. This field is used to match ECHO
REQUEST and ECHO REPLY messages. Usually when you use the ping command,
both of these types of ICMP packets are exchanged between sending and receiving
hosts. The sending host sends ECHO REQUEST packets and the destination host
replies with ECHO REPLY type ICMP packets. This field is useful for discovering
which packet is the reply to a particular request. The following rule checks if the ICMP
ID field in the ICMP header is equal to 100. It generates an alert if this criterion is met.
alert icmp any any > any any (icmp_id: 100; \
msg: "ICMP ID=100";)
3.6.11 The icmp_seq Keyword
The icmp_seq option is similar to the icmp_id keyword The general format for
using this keyword is as follows:
icmp_seq:
The sequence number is also a field in the ICMP header and is also useful in
matching ICMP ECHO REQUEST and ECHO REPLY matches as mentioned in RFC
792. The keyword helps to find a particular sequence number. However, the practical
use of this keyword is very limited. The following rule checks a sequence number of
100 and generates an alert:
alert icmp any any > any any (icmp_seq: 100; \
msg: "ICMP Sequence=100";)
3.6.12 The itype Keyword
The ICMP header comes after the IP header and contains a type field. Appendix C
explains the IP header and the different codes that are used in the type field. A detailed
discussion is found in RFC 792 at http://www.rfc editor.org/rfc/rfc792.txt. The itype
keyword is used to detect attacks that use the type field in the ICMP packet header. The
argument to this field is a number and the general format is as follows:
itype: "ICMP_type_number"
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved