Disclaimer: Our testing indicates that this rule will catch 100% of the instances of parasitic checksum computing generated by the code described in the article. On the otherhand, we are also aware that it will generate occasional false positives. The number of false positives may vary between environments depending on the characteristic traffic of that environment. For example, in our lab we saw a mean of 20 false positives per million packets. This encompassed a range from 0 to 39 false positives per million. The reason for these false positives is understood and we are actively developing and testing ways to eliminate these alerts. There are also performance issues related to this rule, but at this time they are unavoidable. We are currently working on a more generic Snort preprocessor which will be able to detect other variants of parasitic checksum computing.
This rule was developed by Aaron Walters and Tom Slabach, working with Professor Curt Freeland.