[Snort-users] ICMP Ping NMAP troubleshooting

Erek Adams erek at ...950...
Tue May 20 07:13:07 EDT 2003


On Tue, 20 May 2003, Stephen W. Thomas wrote:

> That would be another option. Of course the example uses a source as the
> one you want to ignore/filter and in my case I don't want to ignore all
> of our servers as the source rather I want to ignore the one server as
> the destination. I was thinking about modifying the ICMP Ping NMAP rule
> to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"

Actually, you missed something on there....  Check out the BPF filter
section again.  It shows you how to ignore all ICMP ECHO and ICMP ECHO
REQUEST codes from a specific host.  Now if you just wanted to ignore
_all_ hosts, you don't need the 'host <foo>' filter expression.  You
don't even have to know where you want to ignore it from.  :)

There's also something else that isn't clear from that.  You can also make
the pass rules more specific.  For example, the original rule:

  alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
  dsize: 0; itype: 8; reference:arachnids,162;  classtype:attempted-recon;
  sid:469; rev:1;)

Let's massage this a bit:

  pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8;
  sid:1000469; rev:1;)

A pass rule is still a rule.  It can have each and every part that a alert
or log rule does.  By using the qualifiers, you can make the pass rule
more specific.

> The one question I have with this is will it get overwrittent when Acid
> updates the rules?

ACID does not update rules.  ACID is simply an 'viewing' front end written
in PHP that pulls data from a MySQL or Postgres DB.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list