Open nouar2202 opened 7 years ago
pauloangelo
commented
7 years ago Hi @nouar2202 ,
This bug track is used for Barnyard2 and not Snort. Also, your problem doesn't seem to be a bug, but an ordinary question. I suggest you to look for help in the Snort's discussion list.
Good luck.
PA
nouar2202
commented
7 years ago Thank you actually it is snort issue. it's clear that the traffic is icmp eco/requests. but the packets are fragmented so snort doesn't see it as icmp, but only ip. when i set the rule "alert ip 1.2.3.4" its alerting. do you know how to write rule to alert on icmp fragmented traffic?
On Mon, Dec 19, 2016 at 2:14 AM, Paulo Angelo notifications@github.com wrote:
Hi @nouar2202 https://github.com/nouar2202 ,
This bug track is used for Barnyard2 and not Snort. Also, your problem doesn't seem to be a bug, but an ordinary question. I suggest you to look for help in the Snort's discussion list.
Good luck.
PA
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/firnsy/barnyard2/issues/201#issuecomment-267857746, or mute the thread https://github.com/notifications/unsubscribe-auth/AWoVqvCxAI1hMppYsP1fC2xksmdfUWH-ks5rJcx-gaJpZM4LQFYc .
Hello I installed and configured snort on windows and installed the latest snort rules set. i have a tcpdump file that contains suspicious icmp traffic from source IP 1.2.3.4 but snort did not alert on it. i added my own rule in local rules: alert icmp 1.2.3.4 any -> any any (msg: "possible pod attack" ; sid:10000001; ) but also did not alert on it. i tried also: alert ip 1.2.3.4 any -> any any (msg: "possible pod attack" ; sid:10000001; ) and sill did not alert. any one hase any idea about this ?? please it's urgent. Thank you.
snort