S424 signature SQLPing3 issue with Fping traffic

Unanswered Question

The S424 contains a new signature "SQLPing3" (Signature ID: 19840/0) which in our IDS system triggers on FPing traffic.

The SQLPing3 triggers on a 8 byte null content of the data part of the ICMP packet , apparently FPing shapes its data exactly the same way effectively causing a "false" alert.

RFC of ICMP suggest the data part has no restrictions in the content , it may be all 0.

Has anyone noted this issue before or are there any restrictions known to the content of the ICMP data we are not aware of?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion