[Snort-users] *NIX ping alerts

McCammon, Keith Keith.McCammon at ...3497...
Mon Jun 24 13:33:03 EDT 2002


Jason,

Just examine the rule(s) that are triggering alerts and write a simple pass rule for the source and destination.  See the docs for guidelines on writing rules <http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2>.

And if you're watching the wire between your firewall and your router, and the firewall performs NAT, then the source should be on the same network as your router's Ethernet interface.  Again, look at the alerts and you'll see the source address that's setting things off.  Not sure how a NAT'd packet from a single monitoring node could have one of 256 addresses.  Sounds fishy...

Cheers

Keith



-----Original Message-----
From: Jason Gauthier [mailto:jgauthier at ...6155...]
Sent: Monday, June 24, 2002 4:15 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] *NIX ping alerts



Greetings-


I'm using snort between my WAN router and my firewall, so I am seeing a good
amount of traffic.
Fortunatly, it's not TOO overwhelming.  However, I have a box on the inside
running Nagios (formerly Netsaint) that pings my WAN router, to make sure
it's up and measure the traffic.

I would really like to remove the alerts for this.  Is there anyway?  It is
a bit complicated, because the firewall does NAT.  Which means it looks like
it could be coming from any of my 256 addresses.

Thanks,

 Jason


-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list