[Snort-users] ICMP Large Packets Alerts

Wirth, Jeff WirthJe at ...4876...
Fri Mar 22 12:34:12 EST 2002


> I'm receiving a flood of alerts from Digital Island that pings my DNS
> servers. This ping comes in from 100+ different IPs all owned by Digital
> Island who own the datacenter I have a few boxes in. Is there a way to
> filter out packets with this beginning in them for Snort?

I am sure there are a couple of ways, this is what I would do:

..........................

# snort <options> - F <name and loc of BPF filter>

The contents of the filter will depend on what you wish to drop.  To drop
all icmp from DI the following would do:

not (icmp and net <enter Digital Island NET>) 

Or to just drop "echo request and reply" the following would work:

not ( net <enter Digital Island's NET> and (icmp[0:1]=8 or icmp[0:1]=0))

* icmp type 0 = echo reply, type 8=echo request 

* see your local manpage for more BPF info ;-)

...........................

This way snort drops the packets before any analysis is attempted.

Hope this helps..

- Jeff




More information about the Snort-users mailing list