[Snort-users] ICMP false possitives...

Paulie paulie at ...2160...
Wed Jun 13 00:12:49 EDT 2001


I run a fair sized home network.  It is used mostly for personal purposes
and providing certain services to a small community of friends and fellow
network professionals.

My problem is, having installed ACID I am logging HUGE numbers of ICMP
destination unreachables and MISC large ICMP packets.  I mean LOTS.  I
generate like 5-10,000/day.  I have examined a random sampling of these
and they all appear to be benign.  Many seem to be generated by analog,
the web log analyzer we use that generates alot of collateral traffic as it
runs through the logs (lotso DNS and the like).  Lots of the large ICMP
packets are generated by folks in network operations that use the server
to troubleshoot network issues from outside thier network.  When I boil it
down it begins to seem sily for me to collect the number of these packets
that I am and keep them about.  I tend to end up batch deleting them from
the MySQL database via ACID.  They are still logged via syslog but...

So my actual question is do people think it worthwile to continue to log
this stuff or just remove those rules from the ruleset.  I fully realize
that this is somewhat dangerous and that the whole question is VERY
relative to what any given person is looking to achive/protect etc.  In
other words yes it depends on alot of factors but what do people think
about not logging much of the ICMP blech that flows by?


More information about the Snort-users mailing list