i need to write snort rules for OS detection (Nmap) following packets:
ICMP echo (IE) The IE test involves sending two ICMP echo request packets to the target. The first one has the IP DF bit set, a type-of-service (TOS) byte value of zero, a code of nine (even though it should be zero), the sequence number 295, a random IP ID and ICMP request identifier, and 120 bytes of 0x00 for the data payload.
The second ping query is similar, except a TOS of four (IP_TOS_RELIABILITY) is used, the code is zero, 150 bytes of data is sent, and the ICMP request ID and sequence numbers are incremented by one from the previous query values.
The results of both of these probes are combined into a IE line containing the R, DFI, T, TG, and CD tests. The R value is only true (Y) if both probes elicit responses. The T, and CD values are for the response to the first probe only, since they are highly unlikely to differ. DFI is a custom test for this special dual-probe ICMP case.
These ICMP probes follow immediately after the TCP sequence probes to ensure valid results of the shared IP ID sequence number test (see the section called “Shared IP ID sequence Boolean (SS)”).
I write following rules:
alert icmp any any -> any any (msg:"i1"; sid:1000001; icmp_seq:295; tos:0; dsize:120; content:"|00|"; fragbits:D; icode:9;)
alert icmp any any -> any any (msg:"i2"; sid:1000002; icmp_seq:296; tos:4; dsize:150; content:"|00|"; fragbits:D; icode:0;)
This rules are wrong. i have no idea how to correct them, i'll glad if someone can help me. Thanks in advance.