[Snort-users] icmp i want to ignore

Steve Scott sjscott007 at ...741...
Wed Jun 5 12:59:01 EDT 2002


Don,

	What I do is place a pass rule in my local.rules file.  See the
following:

pass icmp <IP-ADDRESS> any -> $HOME_NET any (msg:"ICMP L3retriever Ping
- MANAGEMENT MACHINE - STEVE"; content:
"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)

I also put a comment in the msg section explaining why the filter was
added and who added it.

To use this you must have the -o parameter specified when you start
snort. This changes the default rule order.

Steve

On Wed, 2002-06-05 at 14:26, Don wrote:
> the following rule in icmp.rules
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping";
> content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
> reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
> triggers an alert for me i wish to ignore, from 1 source IP address, I know
> what causes it on this source, so i wish to ignore this source only, what
> would be the best way for this?
> any suggestions
> 
> Don
> 
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list