[Snort-users] Ignoring ICMP packets

Avleen Vig avleen at ...396...
Tue Apr 17 12:35:23 EDT 2001


Example packet:

[**] ICMP Destination Unreachable (Undefined Code!) [**]
04/15-01:23:54.055240 [MAC addr1] -> [MAC addr2] type:0x800 len:0x46
[source_ip] -> [my_ip] ICMP TTL:48 TOS:0x0 ID:55880 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
[my_ip:6667] -> [dest_ip:port] TCP TTL:46 TOS:0x0 ID:61815 IpLen:20
DgmLen:77
*2*AP*** Seq: 0xAB3B3C32  Ack: 0x1AEAD83A  Win: 0x400  TcpLen: 8
** END OF DUMP


What I want to be able to do is tell snort to ignore / not log an ICMP
DESTINATION UNREACHABLE packet ONLY if the original packet came from
[my_ip:6667].
Running an IRC server generqates a lot of false positives :(

anyone know how to do this?





More information about the Snort-users mailing list