Created
March 24, 2018 22:34
-
-
Save slayerlab/9658f18c86cb538fb0df1dd21eec8bd4 to your computer and use it in GitHub Desktop.
SNORT rules: useful for trigger reverse shell attempt over icmp protocol.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"Unexpected data was detected on ICMP packet into Data Segment"; itype:0; icode:0; icmp_id:1; dsize:>0; classtype:tunneling; reference:url,github.com/inquisb/icmpsh; sid:123456; rev:0) | |
event_filter gen_id 1, sig_id 123456, type limit, track by_src, count 1, seconds 60 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
IMHO: It is better get this link as a reference: https://github.com/SLAYEROWNER/icmpsh/tree/patch-1