[Snort-users] Stopping particular rules

Joe McAlerney joey at ...47...
Mon Jun 25 13:20:38 EDT 2001


Hello Bennett,

I'm not sure why you are still seeing them when the includes are
commented out.  Perhaps there are some hidden in other .rules files like
Kiira said.  As far as your pass rule, you must use -o to change the
rule ordering, or the "alert" icmp rules will take precedence.

Happy Snorting,

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Bennett Samowich wrote:
> 
> Greetings,
> 
> I am getting an exorbitant amount of ICMP alerts and want to temporarily
> turn them off.  I have tried commenting our the include for the ICMP rules
> from snort.conf as well as adding a pass line to local.rules.  Neither of
> these seem to stop the influx of ICMP alerts.  Any ideas on what I am doing
> wrong?
> 
> My local.rules has:
> # Pass any ICMP traffic temporarily
> pass icmp any any -> any any (msg: "temporarily disabled";)
> 
> My snort.conf has:
> ...snip...
> # Pass any local ICMP traffic
> # Be sure you have created a local.rules file
> # for your includes/ignores, etc.
> #===============================================
> include local.rules
> include exploit.rules
> include scan.rules
> include finger.rules
> include ftp.rules
> include telnet.rules
> include smtp.rules
> include rpc.rules
> include rservices.rules
> include backdoor.rules
> include dos.rules
> include ddos.rules
> include dns.rules
> include netbios.rules
> include sql.rules
> include web-cgi.rules
> include web-coldfusion.rules
> include web-frontpage.rules
> include web-misc.rules
> include web-iis.rules
> # include icmp.rules
> include misc.rules
> include policy.rules
> include info.rules
> include virus.rules
> 
> # Include the WhiteHats Vision rules here
> # include vision.rules
> ...snip...
> 
> - Bennett
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list