[Snort-users] How to ignore ping/icmp traffic to-from a host

McCammon, Keith Keith.McCammon at ...3497...
Tue Feb 26 09:38:30 EST 2002

One way to solve your problem:

1) Find the rule that is being triggered by your node monitor, and look
at the attributes.

2) Edit your local.rules file, adding a "pass" rule using the
appropriate source, destination, and traffic attributes.  Also, if your
node monitor is checking a number of hosts, you may want to create a
variable in your snort.conf file to use as the destination in the rule
(something like "var ALLOW_ICMP [x.x.x.3/32,x.x.x.4/32]").

3) Start snort with "-o", so that pass rules are processed before alert

There are a number of ways to do this, but I've found that you're
usually better off using local.rules, so that you have a single file
with all of the necessary customizations for your site.  Less work at
the command line, and easy to "take with you" when testing new rulesets,
distributions, etc.



More information about the Snort-users mailing list