[Snort-users] Stopping particular rules

Bennett Samowich brs at ...664...
Mon Jun 25 10:58:07 EDT 2001


Greetings,

I am getting an exorbitant amount of ICMP alerts and want to temporarily
turn them off.  I have tried commenting our the include for the ICMP rules
from snort.conf as well as adding a pass line to local.rules.  Neither of
these seem to stop the influx of ICMP alerts.  Any ideas on what I am doing
wrong?

My local.rules has:
# Pass any ICMP traffic temporarily
pass icmp any any -> any any (msg: "temporarily disabled";)

My snort.conf has:
...snip...
# Pass any local ICMP traffic
# Be sure you have created a local.rules file
# for your includes/ignores, etc.
#===============================================
include local.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include sql.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-misc.rules
include web-iis.rules
# include icmp.rules
include misc.rules
include policy.rules
include info.rules
include virus.rules

# Include the WhiteHats Vision rules here
# include vision.rules
...snip...

- Bennett





More information about the Snort-users mailing list