[Snort-users] Speedera Alerts

Erek Adams erek at ...577...
Mon Mar 25 10:32:10 EST 2002


On Mon, 25 Mar 2002, Kevin L Pawloski wrote:

> My Snort logs are being flooded with Speedera Alerts. This is to be
> expected since they are pinging one of my DNS servers =) Except for some
> reason the rule I am using is not filtering out any of their packets.
> Here is what I have in my icmp rules and a sample packet.
>
> alert ICMP any any -> any any (msg:"PING Speedera"; content: "|3839 3A3B
> 3C3D 3E3F|"; itype: 8; )
>
> 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17   ...............
> 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27   ........ !"#$%&'
> 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37   ()*+,-./01234567
> 38 39 3A 3B 3C 3D 3E 3F                           89:;<=>?
>
> Any ideas?

Well, if that rule is in your ruleset, and you are getting those pings--It
should fire.  It's an 'alert' rule.  Alert rules do just that--Alert!  :)

Now if you wanted to ignore it, then copy the rule, change 'alert' to 'pass'
and then start snort with a -o parameter.

Should do it....

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list