cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

ICMP Large Packet Blocking

Jump to solution

Dears I need to block the ICMP packet >xxx Byte , please is there any one can help .

SA
1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: ICMP Large Packet Blocking

Jump to solution

Ahmed

Have you looked at the Custom Attack Editor Guide?

A simple exploit UDS would do the job.

  • Open Custom  Attack Editor
  • Select McAfee format- new exploit
  • Enter name and description, severity, blocking option (packet)
  • Add protocol - ipv4 or  ipv6
  • Then go to the sig tab, select ICMP as the protocol
  • And  the add the 'ADD' condition, which is the packet length

Or if you prefer I'm  sure you can google  a SNORT rule to check the ICMP packet size...

Of course, don't forget the sensor response to block once  you have saved the new sig on your policies.

Regards

David

View solution in original post

6 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: ICMP Large Packet Blocking

Jump to solution

Ahmed

Have you looked at the Custom Attack Editor Guide?

A simple exploit UDS would do the job.

  • Open Custom  Attack Editor
  • Select McAfee format- new exploit
  • Enter name and description, severity, blocking option (packet)
  • Add protocol - ipv4 or  ipv6
  • Then go to the sig tab, select ICMP as the protocol
  • And  the add the 'ADD' condition, which is the packet length

Or if you prefer I'm  sure you can google  a SNORT rule to check the ICMP packet size...

Of course, don't forget the sensor response to block once  you have saved the new sig on your policies.

Regards

David

View solution in original post

Highlighted

Re: ICMP Large Packet Blocking

Jump to solution

hi D_aloy ,

please find the below UDS added :

is the below comparisons is fit what I need or not ??? detecting the Large ICMP packet Grater than xxxxbyte length , and is the below number are in byte or what ??

 

SA
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: ICMP Large Packet Blocking

Jump to solution

Hi Ahmed

The comparison field should be 'Numeric Value Match' - and I am assuming the packet-len value will be in bytes.

Regards

David

Highlighted

Re: ICMP Large Packet Blocking

Jump to solution

Hi D_aloy ,

I  need to detect any ICMP packet Greater Than xxx byte , and If I chose Numeric Value Match so the packet should exactly match the numeric Value that has been specified , is it right ?this reason I am choosing the range to specify the maximum and minimum accepted value

SA
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: ICMP Large Packet Blocking

Jump to solution

Hi Ahmed

Numeric value match allows you to select other valued than 'equals to', i.e. .'greater than:

This should trigger on anything above 104 bytes.

Regards

David

Highlighted

Re: ICMP Large Packet Blocking

Jump to solution

hi ,

there is some thing wrong with the ICMP policy , since we still have large ICMP packets passing through the IPS Sensors without blocking\Detecting , any Advice ?

SA
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community