[Snort-users] ICMP logs

Neil Dickey neil at ...1633...
Fri May 25 11:28:03 EDT 2001


jan at ...1739... wrote asking:

>I've tried to write a pass rule for ICMP type 3 code 3 from my
>border router to my firewall. 
>
>It looks like this:
>
>pass icmp my.border.router/32 any -> my.fire.wall/32 any (itype:"3";icode:"3";)
>
>Snort doesn't complain and starts nicely, but keeps logging
>them, although I DID specify -o. 
>
>Version's 1.7, Platform FreeBSD 4.2 STABLE. 
>
>Any suggestions? Drives me mad.

I don't know that this would cause a problem, but my "itype" specifications
look like this ...

  itype: 3;

... rather than with the quotes and no space.

Did you comment out the rule that alerts on these packets, or alter it so
that it wouldn't see them?  I think I would have tried that before writing
a pass rule.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list