[Snort-users] removing ping alerts

Raphael Bauduin rb at ...573...
Thu Oct 5 10:13:22 EDT 2000


Hi,

We have  a monitoring system sending out pings regularly. I want to remove 
the messages about these ICMP packets. Here's the alert I get:

[**] IDS152 - PING BSD [**]
10/05-16:05:42.441416 172.16.1.96 -> 172.16.0.9
ICMP TTL:64 TOS:0x0 ID:20447
ID:1544   Seq:0  ECHO



An it is coming from this rule:

alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS152 - PING BSD"; content: 
"|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: 32;)



To avoid these messages, I put this line t the beginning of my rules file:

pass icmp 172.16.1.96 any <> 172.16.0.9 any 



But it doesn't change anything :(
What am I doing wrong?


thanks.

Raph

PS: I also tried by taking the complete alert rule and just changing alert in 
pass, and removing the msg:"****", but it didn't work either....

-- 
-- 
              ---------------------------------- 
             |  -�)                        (�-  |
             |  /\\     Linux for ever     //\  |
             | _\_v                        v_/_ |
              ---------------------------------- 

   If windows is the answer, it must have been a stupid question.



More information about the Snort-users mailing list