[Snort-users] ICMP Ping NMAP troubleshooting

Stephen W. Thomas swthomas at ...9227...
Tue May 20 06:39:11 EDT 2003


That would be another option. Of course the example uses a source as the one you want to ignore/filter and in my case I don't want to ignore all of our servers as the source rather I want to ignore the one server as the destination. I was thinking about modifying the ICMP Ping NMAP rule to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"
 
The one question I have with this is will it get overwrittent when Acid updates the rules?
 
Thanks,
Steve

	-----Original Message----- 
	From: Erek Adams [mailto:erek at ...950...] 
	Sent: Tue 5/20/2003 8:31 AM 
	To: Stephen W. Thomas 
	Cc: snort-users at lists.sourceforge.net 
	Subject: Re: [Snort-users] ICMP Ping NMAP troubleshooting
	
	

	On Tue, 20 May 2003, Stephen W. Thomas wrote:
	
	[...snip...]
	
	> A. Ignore the thousands of hits it gets
	> B. Disable that one rule for the one destination.
	
	And two other ways:
	
	        http://www.theadamsfamily.net/~erek/snort/ignore.txt
	
	Cheers!
	
	-----
	Erek Adams
	
	   "When things get weird, the weird turn pro."   H.S. Thompson
	



More information about the Snort-users mailing list