hoagland at ...47...
Thu Mar 7 16:16:04 EST 2002
At 2:19 PM -0500 3/7/02, Basil Saragoza wrote:
>I just pinged novell.com and received reply from 22.214.171.124
>After that I noticed in ACID entry "ICMP echo reply"
>in snort lan sensor in "misc-acivity" sesction....
>Why should I and why should snort care about the legitimate ping echo
Snort doesn't care. It just thought you cared since included the
rule that alerts on a ping reply. When you first set up a sensor,
you need to go through your snort configuration and include/exclude
the rules corresponding to the alerts that you want to get.
You might also be able to make use of the priority information
included in the alert. I'm not sure about ACID, but I know in
SnortSnarf you can even choose to exclude alerts with not enough
priority from presentation.
Welcome to the world of Snort.
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* --- Silicon Defense: IDS Solutions --- *|
|* hoagland at ...47..., http://www.silicondefense.com/ *|
|* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
More information about the Snort-users