[Snort-users] How to ignore ping/icmp traffic to-from a host

McCammon, Keith Keith.McCammon at ...3497...
Tue Feb 26 09:38:30 EST 2002


One way to solve your problem:

1) Find the rule that is being triggered by your node monitor, and look
at the attributes.

2) Edit your local.rules file, adding a "pass" rule using the
appropriate source, destination, and traffic attributes.  Also, if your
node monitor is checking a number of hosts, you may want to create a
variable in your snort.conf file to use as the destination in the rule
(something like "var ALLOW_ICMP [x.x.x.3/32,x.x.x.4/32]").

3) Start snort with "-o", so that pass rules are processed before alert
rules.

There are a number of ways to do this, but I've found that you're
usually better off using local.rules, so that you have a single file
with all of the necessary customizations for your site.  Less work at
the command line, and easy to "take with you" when testing new rulesets,
distributions, etc.

Cheers

Keith




More information about the Snort-users mailing list