[Snort-users] [Snort-users] Speedera

Paul Murphy paul.murphy at ...2217...
Tue Jun 12 04:47:31 EDT 2001

Thanks John.  My mailserver is behind a firewall that blocks ICMP.  I suppose my question was twofold:  Why is my mailserver managing to emit icmp at all, and when it does, why do they have the speedera signature?

So I guess this is ot really for this list, as I can stop Snort triggering because of this, but I still don't know why it is happening in the first place.

Any offers?


>>> John Sage <jsage at ...2022...> 6/11/2001 06:58:26 pm >>>

I had to work on ping-lib to keep it from worrying about all sorts of stuff.

You may want to do something like this:

alert icmp !$HOME_NET any -> $HOME_NET any (msg:"ICMP Echo Request"; 

If I remember correctly, the original syntax was "any any <> $HOME_NET 
any" which alerts for stuff going in or out...

- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022... 
"The web is so, like, five minutes ago..."

Paul Murphy wrote:

> Hi all,
> Does anyone have any ideas why my Snort is picking up Speedera ICMPs *outbound* from my mail server?
> They are echo requests btw.
> Thanks,
> Paul.

Snort-users mailing list
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

CRESTCo Ltd.             The views expressed above are not necessarily those
33 Cannon Street.        held by CRESTCo Limited.
London  EC4M 5SB (UK)      
+44 (020) 7849 0000     http://www.crestco.co.uk 

More information about the Snort-users mailing list