[Snort-users] ICMP rule not behaving as expected
neil at ...1633...
Mon Apr 7 11:19:02 EDT 2003
"Tobias Rice" <rice at ...7669...> wrote in response to me:
>Hmmm. I'll take a stab...
>pass icmp [my.home.net.0/24,offending.box.external.net] any -> $HOME_NET any (msg:"ICMP Destination \
> Unreachable (Undefined Code!)"; itype: 3; sid:407; classtype:misc- \
> activity; rev:4;)
Thanks much, Tobias! That did it. I used this syntax ...
pass icmp $ICMP_AVOID any -> $HOME_NET any ( .... )
... with ICMP_AVOID set to ...
var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]
... in snort.conf and it works fine.
I still don't understand why the other method didn't work,
though; it seems to me it should have. The "NOT" operator
( ! ) works fine for ...
var HOME_NET my.home.net.0/24
var EXTERNAL_NET !$HOME_NET
... where HOME_NET contains a single value, but it doesn't
seem to work if there is more than one value assigned.
Thanks again, Tobias.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users