[Snort-users] conf/rules problems

Aaron McKinnon aaron at ...1376...
Wed May 23 13:40:14 EDT 2001

Trying to filter out false positives for DNS Servers and a few local boxes
that are chatty. I had it working for a while, moved snort off that box and
put it on a stand alone box. Mirrored all the traffic to the new boxes port
and put the NIC in promiscuous mode... I'm now logging all kinds of false
positives from the DNS servers and local Win 2000 boxes.

For example, this is an item I would like NOT to see:

[**] ICMP Echo Reply [**]
05/22-04:06:32.226477 ->
ICMP TTL:128 TOS:0x0 ID:32502 IpLen:20 DgmLen:84
Type:0 Code:0 ID:57209 Seq:0 ECHO REPLY [Snort log]

I will list below all my relevant config files and custom rules set

*How snort is being called:

/usr/sbin/snort -Afull -o -u snort -g snort -d -D -l /var/log/snort -c

*snort.conf excerpts:


#I know there is some redundancy here... Just trying to make something go...


preprocessor portscan-ignorehosts: $DNS_SERVERS

(should be all that is relevant from snort.conf)
*local.rules file complete (local.rules is uncommented from snort.conf)

pass tcp any > any
pass udp any > any
pass icmp any > any
pass tcp any > any
pass udp any > any
pass icmp any > any
pass tcp 53 > any
pass tcp 53 > any


Thanks for any and all help in advance.

Aaron McKinnon
System Administrator
Fullerene Productions, Inc.
3250 Wilshire Blvd. Suite 2000
Los Angeles, CA 90010

More information about the Snort-users mailing list