[Snort-users] L3retriver alerts
erek at ...577...
Wed Sep 4 10:06:02 EDT 2002
On Wed, 4 Sep 2002, Augustinho Catto wrote:
> We have an A.D. Server running inside our enclave network (for
> corporate servers) and, of course our workstations, inside of our
> internal network send packets to this server and this event is
> logged as "bad event" "IDS311/PING-SCANNER-L3RETRIEVER" .
> But this "ping" is necessary to our workstation, so to avoid this alert
> I created W2K_SERVER [10.20.200.73/32, 10.20.200.74/32] inside
> of our snort.conf.
> After that I modified icmp.rules file:
> "alert icmp $EXTERNAL_NET -> $W2K_SERVER .... ".
> In spite of this fact the snort is still given us this alert.
> How could I avoid its?
pass icmp $EXTERNAL_NET -> $W2K_SERVER
Then start snort with '-o'.
More information about the Snort-users