[Snort-users] L3retriver alerts

Augustinho Catto Catto at ...6458...
Wed Sep 4 07:30:03 EDT 2002

Dear gurus:

We have an A.D. Server running inside our enclave network (for 
corporate servers) and, of course our workstations, inside of our 
internal network send packets to this server and this event is 
logged as "bad event" "IDS311/PING-SCANNER-L3RETRIEVER" .
But this "ping" is necessary to our workstation, so to avoid this alert 
I created W2K_SERVER [,] inside 
of our snort.conf.

After that I modified icmp.rules file: 
"alert icmp $EXTERNAL_NET -> $W2K_SERVER .... ".

In spite of this fact the snort is still given us this alert.

How could I avoid its?

Augustinho Valmor CATTO
CNE - Analista de Suporte 
UNISINOS - Universidade do Vale do Rio dos Sinos
Sao Leopoldo - RS - Brasil
Phone: +55 xx 51 590-8386

More information about the Snort-users mailing list