[Snort-users] ICMP Ping NMAP troubleshooting

Stephen W. Thomas swthomas at ...9227...
Tue May 20 07:22:08 EDT 2003


"Let's massage this a bit:

  pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8;
  sid:1000469; rev:1;)"
 
Doesn't this in effect ignore all ICMP Ping from anyone to anyone on my network? I would think I still want to be aware of ICMP Pings to the other hosts on my net, just  not the one I'm ware of. Would this work?
 
  pass icmp $EXTERNAL_NET any -> $HOME_NET !foo (dsize: 0; itype: 8;
  sid:1000469; rev:1;)

 

Where "foo" is the IP address for my server that's getting the known pings. I would think this woudl still alert on ICMP Pings to other hosts on my network just not to foo.

Thanks,

Steve



	-----Original Message----- 
	From: Erek Adams [mailto:erek at ...950...] 
	Sent: Tue 5/20/2003 9:12 AM 
	To: Stephen W. Thomas 
	Cc: Erek Adams; snort-users at lists.sourceforge.net 
	Subject: RE: [Snort-users] ICMP Ping NMAP troubleshooting
	
	

	On Tue, 20 May 2003, Stephen W. Thomas wrote:
	
	> That would be another option. Of course the example uses a source as the
	> one you want to ignore/filter and in my case I don't want to ignore all
	> of our servers as the source rather I want to ignore the one server as
	> the destination. I was thinking about modifying the ICMP Ping NMAP rule
	> to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"
	
	Actually, you missed something on there....  Check out the BPF filter
	section again.  It shows you how to ignore all ICMP ECHO and ICMP ECHO
	REQUEST codes from a specific host.  Now if you just wanted to ignore
	_all_ hosts, you don't need the 'host <foo>' filter expression.  You
	don't even have to know where you want to ignore it from.  :)
	
	There's also something else that isn't clear from that.  You can also make
	the pass rules more specific.  For example, the original rule:
	
	  alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
	  dsize: 0; itype: 8; reference:arachnids,162;  classtype:attempted-recon;
	  sid:469; rev:1;)
	
	Let's massage this a bit:
	
	  pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8;
	  sid:1000469; rev:1;)
	
	A pass rule is still a rule.  It can have each and every part that a alert
	or log rule does.  By using the qualifiers, you can make the pass rule
	more specific.
	
	> The one question I have with this is will it get overwrittent when Acid
	> updates the rules?
	
	ACID does not update rules.  ACID is simply an 'viewing' front end written
	in PHP that pulls data from a MySQL or Postgres DB.
	
	Hope that helps!
	
	-----
	Erek Adams
	
	   "When things get weird, the weird turn pro."   H.S. Thompson
	



More information about the Snort-users mailing list