[Snort-users] snort optimization

shawn . moyer shawn at ...1184...
Sat Jan 27 07:02:05 EST 2001


Kevin.Brown at ...1022... wrote:
> 
> Yes, the system is running snort 1.7 with the snortfull.conf file from the
> downloads section of snort.org.  The database grew in just five days to close
> to 1.5GB, most of which is ICMP alerts, most of those are TTL exceeded in
> transit.  I'm considering disabling that rule since it is accounting for an
> overwhelming majority of the alerts.
> 

To ignore ping and traceroute-type traffic:

pass icmp any any <> any any (itype: 8;)
pass icmp any any <> any any (itype: 0;)
pass icmp any any <> $HOME_NET any (itype: 3;)

Here's a reference for ICMP type codes so you can decide what you'd like
to ignore:

http://www.isi.edu/in-notes/iana/assignments/icmp-parameters



--shawn

-- 
s h a w n   m o y e r
shawn at ...1184...




More information about the Snort-users mailing list