[Snort-users] icmp i want to ignore
sjscott007 at ...741...
Wed Jun 5 12:59:01 EDT 2002
What I do is place a pass rule in my local.rules file. See the
pass icmp <IP-ADDRESS> any -> $HOME_NET any (msg:"ICMP L3retriever Ping
- MANAGEMENT MACHINE - STEVE"; content:
"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
I also put a comment in the msg section explaining why the filter was
added and who added it.
To use this you must have the -o parameter specified when you start
snort. This changes the default rule order.
On Wed, 2002-06-05 at 14:26, Don wrote:
> the following rule in icmp.rules
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping";
> content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
> reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
> triggers an alert for me i wish to ignore, from 1 source IP address, I know
> what causes it on this source, so i wish to ignore this source only, what
> would be the best way for this?
> any suggestions
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users