[Snort-users] ICMP Ping NMAP troubleshooting
erek at ...950...
Tue May 20 07:13:07 EDT 2003
On Tue, 20 May 2003, Stephen W. Thomas wrote:
> That would be another option. Of course the example uses a source as the
> one you want to ignore/filter and in my case I don't want to ignore all
> of our servers as the source rather I want to ignore the one server as
> the destination. I was thinking about modifying the ICMP Ping NMAP rule
> to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"
Actually, you missed something on there.... Check out the BPF filter
section again. It shows you how to ignore all ICMP ECHO and ICMP ECHO
REQUEST codes from a specific host. Now if you just wanted to ignore
_all_ hosts, you don't need the 'host <foo>' filter expression. You
don't even have to know where you want to ignore it from. :)
There's also something else that isn't clear from that. You can also make
the pass rules more specific. For example, the original rule:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon;
Let's massage this a bit:
pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8;
A pass rule is still a rule. It can have each and every part that a alert
or log rule does. By using the qualifiers, you can make the pass rule
> The one question I have with this is will it get overwrittent when Acid
> updates the rules?
ACID does not update rules. ACID is simply an 'viewing' front end written
in PHP that pulls data from a MySQL or Postgres DB.
Hope that helps!
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users