[prev in list] [next in list] [prev in thread] [next in thread]
List: arachnids
Subject: [arachNIDS] icmp.rules
From: "Clifford, Shawn A" <shawn.a.clifford () lmco ! com>
Date: 2001-04-17 14:27:42
[Download RAW message or body]
I meant for this to go in my last post as well.
The rule in 'icmp.rules' whose msg is: "ICMP Nmap2.36BETA or HPING2 Echo "
is triggered by icmp pings from Perl's Net::Ping module.
The following code will illustrate this on your snort box:
#!/usr/local/bin/perl
#
# icmp_ping.pl
#
use Net::Ping;
if ($> != 0) {
die "You must be 'root' to use icmp ping\n";
}
#
# Create a ping object: ICMP protocoal w/ 2 second timeout.
#
$p = Net::Ping->("icmp", 2);
foreach $node (@ARGV) {
print "Pinging ", $node, " ... ";
print scalar(localtime()), " : $node is ";
print "NOT " unless $p->ping($node);
print "reachable.\n";
}
To test: ./icmp_ping.pl <snort_host>
Check your alert file.
Should "Perl" be added to the msg string?
-- Shawn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic