[Snort-users] ICMP logs
neil at ...1633...
Fri May 25 11:28:03 EDT 2001
jan at ...1739... wrote asking:
>I've tried to write a pass rule for ICMP type 3 code 3 from my
>border router to my firewall.
>It looks like this:
>pass icmp my.border.router/32 any -> my.fire.wall/32 any (itype:"3";icode:"3";)
>Snort doesn't complain and starts nicely, but keeps logging
>them, although I DID specify -o.
>Version's 1.7, Platform FreeBSD 4.2 STABLE.
>Any suggestions? Drives me mad.
I don't know that this would cause a problem, but my "itype" specifications
look like this ...
... rather than with the quotes and no space.
Did you comment out the rule that alerts on these packets, or alter it so
that it wouldn't see them? I think I would have tried that before writing
a pass rule.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users