[Snort-users] L3retriver alerts

Erek Adams erek at ...577...
Wed Sep 4 10:06:02 EDT 2002


On Wed, 4 Sep 2002, Augustinho Catto wrote:

> We have an A.D. Server running inside our enclave network (for
> corporate servers) and, of course our workstations, inside of our
> internal network send packets to this server and this event is
> logged as "bad event" "IDS311/PING-SCANNER-L3RETRIEVER" .
> But this "ping" is necessary to our workstation, so to avoid this alert
> I created W2K_SERVER [10.20.200.73/32, 10.20.200.74/32] inside
> of our snort.conf.
>
> After that I modified icmp.rules file:
> "alert icmp $EXTERNAL_NET -> $W2K_SERVER .... ".
>
> In spite of this fact the snort is still given us this alert.
>
> How could I avoid its?

pass icmp $EXTERNAL_NET -> $W2K_SERVER

Then start snort with '-o'.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list