[Snort-users] icmp i want to ignore
erek at ...577...
Wed Jun 5 22:30:03 EDT 2002
On Wed, 5 Jun 2002, Don wrote:
> the following rule in icmp.rules
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping";
> content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
> reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
> triggers an alert for me i wish to ignore, from 1 source IP address, I know
> what causes it on this source, so i wish to ignore this source only, what
> would be the best way for this?
> any suggestions
FAQ'able info folks... :)
You have two options. It depends on how you want to approach it, as to your
1) BPF Filters
2) Pass Rule(s)
Now, each of these have good and bad points. You need to consider which would
work the best for you.
1) BPF Filter
Good: 1) Drops the packet at the BPF interface. Saves on
2) Speeds up Snort since it 'never sees' those packets.
Bad: 1) Poorly constructed filters can 'blind-side' your
2) Pass Rule
Good: 1) Gives you rule based control over the packets.
2) Puts all your changes into 'one place'--snort.conf
and it's rule files.
Bad: 1) Reverses the Rule order, can cause some headaches in
tracing down problems.
2) One poorly written pass rule can 'blind' your whole
3) The more specific the pass rule is, the more CPU
snort needs to process it.
I would post examples of each, but I don't have my Snort Users-Guide and
Stephens book here to double check myself with. I'll post a pair of examples
of each later tomorrow--Unless someone else beats me to it! ;-)
Since this has been reviewed here (snort-users) quite a bit, there should be
a lot of info in the archives. Phil Wood has posted a nice generic BPF
'ignore file' about 3-4 weeks ago (sorry, no URL handy). There have also been
quite a few postings regarding how to ignore things with pass rules. Have a
look over the mailing list archives and see if any of that info there make
More information about the Snort-users