[Snort-users] How to Write Snort Rules and Keep Your Sanity...

Hever C. Rocha - N.O.C hever at ...5283...
Wed Mar 13 05:06:04 EST 2002


> Hi Snort Users
> 
> I am trying to create some rules for the following condition:
> 
> I have a network 1.1.1.1/20 (bogus IP !), and I want that all ICMP pings
> from this network not be recorded im my sql database, however i want that
> the icmp ping from another network be recorded.
> 
> I know that have to use the "pass rules" but my rules are not working...
> 
> ex: 
>  my local.rules
> 
> pass icmp any any <> 1.1.1.1/20  any ( not working)
> pass icmp any any -> 1.1.1.1/20  any  ( not working)
> 
> for while i disable de "ICMP ping" and "ICMP ping undefined" code rules
> set, but is not the ideal...
> 
> Sugestions ????
> 
> 
> Best Regards from Bahia/Brasil
> 
> Hever Costa Rocha
> N.O.C
> 55 (73) 234-3029
> 55 (73) 9133-0107
> email: hever at ...5283...
> www.itcbrasil.com.br
> 




More information about the Snort-users mailing list