EmergingThreats> Main Web>2001882 (revision 2)EditAttach

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,7;byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; classtype: denial-of-service; sid: 2001882; rev:5; )


The offset for the byte_test should be 6, not 7. This gives FP on virtually every ICMP PMTU packet.

-- ShaneCastle - 30 Jul 2007


Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-07-30 - ShaneCastle
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats