[Snort-users] ICMP rule not behaving as expected

Neil Dickey neil at ...1633...
Mon Apr 7 11:19:02 EDT 2003


"Tobias Rice" <rice at ...7669...> wrote in response to me:

>Hmmm. I'll take a stab...
>Try this:
>
>pass icmp [my.home.net.0/24,offending.box.external.net] any -> $HOME_NET any (msg:"ICMP Destination \
>    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
>    activity; rev:4;)

Thanks much, Tobias!  That did it.  I used this syntax ...

  pass icmp $ICMP_AVOID any -> $HOME_NET any ( .... )

... with ICMP_AVOID set to ...

  var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]

... in snort.conf and it works fine.

I still don't understand why the other method didn't work,
though; it seems to me it should have.  The "NOT" operator
( ! ) works fine for ...

  var HOME_NET my.home.net.0/24
  var EXTERNAL_NET !$HOME_NET

... where HOME_NET contains a single value, but it doesn't
seem to work if there is more than one value assigned.

Thanks again, Tobias.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list