[Snort-sigs] Help on an ICMP rule: sid 486

Alex Kirk alex.kirk at ...435...
Wed Aug 25 13:39:03 EDT 2004


Seth,

That's because of the way Snort configures its order of alerting, and 
the fact that your alert rule is still in there. By default, Snort 
processes alert rules, then pass rules, then log rules; if you use the 
-o flag, they'll process as pass, alert, and then log. Of course, it'd 
be equally easy to just comment out the offending alert rule and not 
fiddle with a pass rule...it's up to you how you want to do it.

Alex Kirk
Research Analyst
Sourcefire, Inc.

>Thanks so much alex.  The host firewall on the
>sensors.  That makes perfect sence.  
>
>Now a question about my pass rule.  It doesnt seem to
>be working.  This is my first attempt at a pass rule
>and ive studied other pass rules that I have found in
>the archives  but nothing is working.    
>
>In snort.conf i made to var's
>
>var SNORT_SENSORS [192.168.200.100,192.200.101]
>var VPN_POOL 192.168.216.0/24
>
>then added my pass rule to local.rules:
>
>pass icmp $SNORT_SENSORS any -> $VPN_POOL (msg:
>"Ignore ICMP dest. Admin. Prohib"; icode:10; itype:3;
>sid:999901; rev:1;)
>
>I have tried it with any any -> any any, and also with
>no sid or rev because i have seen some pass rules
>without them in the archives.  Snort always loads back
>up after the restart but I still get the alerts.  What
>am I missing.  
>
>Thanks again,
>Seth
>
>
>--- Alex Kirk <alex.kirk at ...435...> wrote:
>
>  
>
>>Seth,
>>
>>You are correct in that your variables aren't really
>>relevant to this 
>>alert.
>>
>>This alert's message is actually taken from the
>>actual error type/codes 
>>that go along with ICMP itself; I strongly suspect
>>that, if the wording 
>>isn't straight from the RFC itself, it's from page
>>71 of Steven's TCP/IP 
>>Illustrated Volume 1 (which is what I used to just
>>check myself with -- 
>>great book for anyone interested in networking). All
>>it means is that 
>>there's some sort of policy/firewall/routing
>>setup/whatever on the 
>>subnet/IPs that the messages are dealing with that
>>blocks pings. 
>>Considering that it's your Snort sensor and your VPN
>>pool interacting, 
>>my guess is that you've either got a tightly
>>configured firewall on your 
>>Snort box (which would of course make sense), or
>>that your VPN software 
>>is sending these messages back. They're nothing to
>>worry about, I'd 
>>definitely go with a pass rule.
>>
>>Alex Kirk
>>Research Analyst
>>Sourcefire, Inc.
>>
>>    
>>
>>>Hello all.  Quick question.  I get a couple of
>>>thousand "ICMP Destination Unreachable
>>>      
>>>
>>Communication
>>    
>>
>>>with Destination Host is Administratively
>>>      
>>>
>>Prohibited"
>>    
>>
>>>alerts a day.  
>>>
>>>The source addr's are always the LAN cards on my
>>>      
>>>
>>snort
>>    
>>
>>>sensors and the destination addr's are only IPs
>>>      
>>>
>>from
>>    
>>
>>>our VPN pool.  
>>>
>>>Before I write a pass rule I was just wondering if
>>>someone has any insight on why I am getting the
>>>      
>>>
>>alerts
>>    
>>
>>>and what they mean?   
>>>
>>>The rule is an any any ->  any any. icode:10;
>>>      
>>>
>>itype:3;
>>    
>>
>>>so i don't think it has to do with me fine tuning
>>>      
>>>
>>the
>>    
>>
>>>variables more ... right?
>>>
>>>It's only the one sensor that is monitoring the lan
>>>side of the firewall that picks up the rules up
>>>      
>>>
>>even
>>    
>>
>>>tho the sources are coming from all thee linux
>>>      
>>>
>>box's
>>    
>>
>>>(snort database, DMZ sensor and LAN sensor.  
>>>
>>>
>>>Thanks,
>>>Seth  
>>>
>>>
>>>		
>>>__________________________________
>>>Do you Yahoo!?
>>>Yahoo! Mail is new and improved - Check it out!
>>>http://promotions.yahoo.com/new_mail
>>>
>>>
>>>      
>>>
>>-------------------------------------------------------
>>    
>>
>>>SF.Net email is sponsored by Shop4tech.com-Lowest
>>>      
>>>
>>price on Blank Media
>>    
>>
>>>100pk Sonic DVD-R 4x for only $29 -100pk Sonic
>>>      
>>>
>>DVD+R for only $33
>>    
>>
>>>Save 50% off Retail on Ink & Toner - Free Shipping
>>>      
>>>
>>and Free Gift.
>>
>>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>>    
>>
>>>_______________________________________________
>>>Snort-sigs mailing list
>>>Snort-sigs at lists.sourceforge.net
>>>      
>>>
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>    
>>
>>> 
>>>
>>>      
>>>
>>
>>
>>    
>>
>-------------------------------------------------------
>  
>
>>SF.Net email is sponsored by Shop4tech.com-Lowest
>>price on Blank Media
>>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R
>>for only $33
>>Save 50% off Retail on Ink & Toner - Free Shipping
>>and Free Gift.
>>
>>    
>>
>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
>  
>
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>
>>    
>>
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  
>
>
>
>=====
>REPLY TO:     adidas3 at ...2720...
>
>
>		
>_______________________________
>Do you Yahoo!?
>Win 1 of 4,000 free domain names from Yahoo! Enter now.
>http://promotions.yahoo.com/goldrush
>  
>





More information about the Snort-sigs mailing list