475.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--

Sid:
475

--

Summary:
This event is generated when a network host generates an ICMP datagram
with Record Route IP options.

--

Impact:
Packets containing IP Record Route options are used to emulate the functionality
of traceroute. 

--

Detailed Information:
The Record Route IP option is used to store routing information about the
path a datagram takes to its destination.  ICMP ECHO packets with an IP header
utilizing the Record Route option are used to emulate the functionality of
traceroute.

--

Attack Scenarios:
A remote attacker may attempt to use the Record Route IP option to determine
routing information if traceroute fails.

--

Ease of Attack:
Numerous tools and scripts can generate this type of datagram.

--

False Positives:
Network diagnostic tools may generate these types of datagrams.

--

False Negatives:
None known
--

Corrective Action:
Use ingress filtering to block incoming datagrams with the IP Record Route option.

--

Contributors:
Original rule writer unknown
Sourcefire Research Team
Matthew Watchinski (matt.watchinski@sourcefire.com)

--

Additional References:
http://www.whitehats.com/info/IDS238


--