[Snort-users] Pass Rule not working?

Shane Williams shanew at ...5387...
Wed Jul 24 10:26:02 EDT 2002

On Wed, 24 Jul 2002, Steve Lebeda wrote:

> I've been getting alerts in ACID because of ICMP packets. The message is 
> ICMP Destination Unreachable (Communication Administratively Prohibited)
> I know this particular issue has been addressed previously and I think I 
> understand why it's happening. The servers on my Home Net are trying to 
> ping to places that they aren't allowed to ping and the packets are being 
> returned by an intermediary device. Trying to be clever, I wrote a pass 
> rule in my local.rules file:
> pass icmp any any -> *.*.*.* any (itype: 3; icode: 13)
> I'm still getting errors.
> What'd I do wrong?

Maybe I'm missing something, but did you try:
pass icmp any any -> any any (itype: 3; icode: 13)

I don't think *.*.*.* is a valid IP address in a rule.

Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |                               
All syllogisms contain three lines |              shanew at ...5387...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew

More information about the Snort-users mailing list