100
Chapter 3     Working with Snort Rules
The type field in the ICMP header shows the type of ICMP message. The code
field is used to explain the type in detail. For example, if the type field value is 5, the
ICMP packet type is  ICMP redirect  packet. There may be many reasons for the gen 
eration of an ICMP redirect packet. These reasons are defined by the code field as listed
below:
  If code field is 0, it is a network redirect ICMP packet.
  If code field is 1, it is a host redirect packet.
  If code is 2, the redirect is due to the type of service and network.
  If code is 2, the redirect is due to type of service and host.
The icode keyword in Snort rule options is used to find the code field value in the
ICMP header. The following rule generates an alert for host redirect ICMP packets.
alert icmp any any  > any any (itype: 5; \
   icode: 1; msg: "ICMP ID=100";)
Both itype and icode keywords are used. Using the icode keyword alone will not
do the job because other ICMP types may also use the same code value.
3.6.14 The id Keyword
The id keyword is used to match the fragment ID field of the IP packet header. Its
purpose is to detect attacks that use a fixed ID number in the IP header of a packet. Its
format is as follows:
id: "id_number"
If the value of the id field in the IP packet header is zero, it shows that this is the
last fragment of an IP packet (if the packet was fragmented). The value 0 also shows
that it is the only fragment if the packet was not fragmented. The id keyword in the
Snort rule can be used to determine the last fragment in an IP packet. 
3.6.15 The ipopts Keyword
A basic IPv4 header is 20 bytes long as described in Appendix C. You can add
options to this IP header at the end. The length of the options part may be up to 40
bytes. IP options are used for different purposes, including:
  Record Route (rr)
  Time Stamps (ts)






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved