[Snort-users] L3retriver alerts

Erek Adams erek at ...577...
Wed Sep 4 10:06:02 EDT 2002

On Wed, 4 Sep 2002, Augustinho Catto wrote:

> We have an A.D. Server running inside our enclave network (for
> corporate servers) and, of course our workstations, inside of our
> internal network send packets to this server and this event is
> logged as "bad event" "IDS311/PING-SCANNER-L3RETRIEVER" .
> But this "ping" is necessary to our workstation, so to avoid this alert
> I created W2K_SERVER [,] inside
> of our snort.conf.
> After that I modified icmp.rules file:
> "alert icmp $EXTERNAL_NET -> $W2K_SERVER .... ".
> In spite of this fact the snort is still given us this alert.
> How could I avoid its?

pass icmp $EXTERNAL_NET -> $W2K_SERVER

Then start snort with '-o'.


Erek Adams

More information about the Snort-users mailing list