[Snort-users] single IP icmp alert rule error

ids at ...8163... ids at ...8163...
Thu Jan 30 06:52:07 EST 2003


OK ... this should be simple... please forgive this lowly novice's ignorance
:)

I created a simple rule in the icmp_info rule folder

(more or less)
alert icmp any any -> $HOME_NET any (msg:"test of ping";)

I then issued a ping from a remote machine against 192.168.1.101 ..
from192.168.1.100.
This worked fine.  The log reported the alert.

I then changed this rule to alert when pings were being issued from
192.168.1.100
I changed the above rule to..

alert icmp 192.168.1.100 any -> $HOME_NET any (msg: "test of ping";)

The result-  'nothing'!  Actually, a different rule further down the rule
chain was triggered.  I presume since mine was not detected it continued to
evaluate the rules in the icmp_info.rules file until it found an alert that
applied.

I also tried  192.168.1.100/32  - no joy.

Anyone have any suggestions?  I'm kinda in a tough spot - this is not the
rule I need... I simply need to be able to write rules and identify that
single ips are to be applied.

Any assistance will greatly be appreciated.

Direct responses are also greatly appreciated...
Citadel85 at ...661...








More information about the Snort-users mailing list