[Snort-users] ICMP Ping NMAP troubleshooting
Stephen W. Thomas
swthomas at ...9227...
Tue May 20 06:39:11 EDT 2003
That would be another option. Of course the example uses a source as the one you want to ignore/filter and in my case I don't want to ignore all of our servers as the source rather I want to ignore the one server as the destination. I was thinking about modifying the ICMP Ping NMAP rule to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"
The one question I have with this is will it get overwrittent when Acid updates the rules?
From: Erek Adams [mailto:erek at ...950...]
Sent: Tue 5/20/2003 8:31 AM
To: Stephen W. Thomas
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ICMP Ping NMAP troubleshooting
On Tue, 20 May 2003, Stephen W. Thomas wrote:
> A. Ignore the thousands of hits it gets
> B. Disable that one rule for the one destination.
And two other ways:
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users