2 of 2 people found this helpful
Have you looked at the Custom Attack Editor Guide?
A simple exploit UDS would do the job.
- Open Custom Attack Editor
- Select McAfee format- new exploit
- Enter name and description, severity, blocking option (packet)
- Add protocol - ipv4 or ipv6
- Then go to the sig tab, select ICMP as the protocol
- And the add the 'ADD' condition, which is the packet length
Or if you prefer I'm sure you can google a SNORT rule to check the ICMP packet size...
Of course, don't forget the sensor response to block once you have saved the new sig on your policies.
The comparison field should be 'Numeric Value Match' - and I am assuming the packet-len value will be in bytes.
Hi D_aloy ,
I need to detect any ICMP packet Greater Than 1024 byte , and If I chose Numeric Value Match so the packet should exactly match the numeric Value that has been specified , is it right ?this reason I am choosing the range to specify the maximum and minimum accepted value
there is some thing wrong with the ICMP policy , since we still have large ICMP packets passing through the IPS Sensors without blocking\Detecting , any Advice ?