[Snort-users] "icmp-over-panic"

James Hoagland hoagland at ...47...
Thu Mar 7 16:16:04 EST 2002


Hello Basil,

At 2:19 PM -0500 3/7/02, Basil Saragoza wrote:
>I just pinged novell.com and received reply from 192.233.80.9
>After that I noticed in ACID entry "ICMP echo reply"
>in snort lan sensor in "misc-acivity" sesction....
>Why should I and why should snort care about the legitimate ping echo
>replies?

Snort doesn't care.  It just thought you cared since included the 
rule that alerts on a ping reply.  When you first set up a sensor, 
you need to go through your snort configuration and include/exclude 
the rules corresponding to the alerts that you want to get.

You might also be able to make use of the priority information 
included in the alert.  I'm not sure about ACID, but I know in 
SnortSnarf you can even choose to exclude alerts with not enough 
priority from presentation.

Welcome to the world of Snort.

-- Jim
-- 
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland at ...47..., http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|




More information about the Snort-users mailing list