goeldich at ee.ethz.ch
Wed Feb 16 01:27:19 PST 2005
isn't there a possibility (an event) to recognize icmp requests dropped
by the firewall. like the event connection_attempt in case of tcp.
for example this would be useful to detect the welchia worm which scans
for victims via icmp.
Zitat von Vern Paxson <vern at icir.org>:
> > what does the icmp_time_exceeded event mean?
> It's its own ICMP message (it indicated a datagram whose TTL expired, so
> for example traceroute uses these) - it does not have any relationship to
> other ICMP's timing out.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro