[Snort-users] resp in rule

Bob McDowell bmcdowell at ...7861...
Thu Jan 30 11:30:08 EST 2003


Logically, I would think that it is possible.  The real question is, would
it do what you have in mind?  I'm not up on the rules language, but there is
a flex-resp action for it:  icmp_host (for destination host unreachable,
anyway).  The rule could be triggered by ICMP requests of the proper type.
The catch is, though, that that same ICMP request would in fact breeze right
by the IDS unmolested.  The end result is most likely two answers for the
same request.  Maybe you could 'patch' this up by blocking the normal
answers via firewall rules.  You could block all ICMP answers from
everything but the IDS...  That might work.  Bear in mind, this is all still
fuzzy logic.  I have tested none of this.

Can anyone else lend a hand here?


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of JR
Sent: Wednesday, January 29, 2003 3:20 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] resp in rule


I would like to create a rule that responds to any ping with a "destination
unreachable" as oppose to the Windows "timed out"
Is this possible?
Thanx
JR



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030130/f845eb9b/attachment.html>


More information about the Snort-users mailing list