[Snort-users] ICMP Large Packets Alerts
WirthJe at ...4876...
Fri Mar 22 12:34:12 EST 2002
> I'm receiving a flood of alerts from Digital Island that pings my DNS
> servers. This ping comes in from 100+ different IPs all owned by Digital
> Island who own the datacenter I have a few boxes in. Is there a way to
> filter out packets with this beginning in them for Snort?
I am sure there are a couple of ways, this is what I would do:
# snort <options> - F <name and loc of BPF filter>
The contents of the filter will depend on what you wish to drop. To drop
all icmp from DI the following would do:
not (icmp and net <enter Digital Island NET>)
Or to just drop "echo request and reply" the following would work:
not ( net <enter Digital Island's NET> and (icmp[0:1]=8 or icmp[0:1]=0))
* icmp type 0 = echo reply, type 8=echo request
* see your local manpage for more BPF info ;-)
This way snort drops the packets before any analysis is attempted.
Hope this helps..
More information about the Snort-users