[prev in list] [next in list] [prev in thread] [next in thread] 

List:       arachnids
Subject:    [arachNIDS] icmp.rules
From:       "Clifford, Shawn A" <shawn.a.clifford () lmco ! com>
Date:       2001-04-17 14:27:42
[Download RAW message or body]

I meant for this to go in my last post as well.

The rule in 'icmp.rules' whose msg is: "ICMP Nmap2.36BETA or HPING2 Echo "
is triggered by icmp pings from Perl's Net::Ping module.

The following code will illustrate this on your snort box:

#!/usr/local/bin/perl
#
#  icmp_ping.pl
#

use Net::Ping;

if ($> != 0) {
   die "You must be 'root' to use icmp ping\n";
}

#
#  Create a ping object:  ICMP protocoal w/ 2 second timeout.
#
$p = Net::Ping->("icmp", 2);

foreach $node (@ARGV) {
	print "Pinging ", $node, " ... ";
	print scalar(localtime()), " : $node is ";
	print "NOT " unless $p->ping($node);
	print "reachable.\n";
}

To test:  ./icmp_ping.pl <snort_host>

Check your alert file.

Should "Perl" be added to the msg string?

-- Shawn

[prev in list] [next in list] [prev in thread] [next in thread]