[Snort-users] Stopping particular rules

Kiira Triea kiira-t at ...2241...
Mon Jun 25 10:50:36 EDT 2001


If you do: 

grep ICMP /etc/snort/*.rules | awk '{print $1 }' | sort | uniq

you find all that have a rule for ICMP packets, not just those in
icmp.rules. Some actually are more important but you can '#' out the
ones that are clogging up your snort logs like the regular old ping
rules in info.rules. 

HTH, 

Kiira 



> Greetings,
> 
> I am getting an exorbitant amount of ICMP alerts and want to temporarily
> turn them off.  I have tried commenting our the include for the ICMP rules
> from snort.conf as well as adding a pass line to local.rules.  Neither of
> these seem to stop the influx of ICMP alerts.  Any ideas on what I am doing
> wrong?
> 
> My local.rules has:
> # Pass any ICMP traffic temporarily
> pass icmp any any -> any any (msg: "temporarily disabled";)
> 
> My snort.conf has:
> ...snip...







More information about the Snort-users mailing list