[Snort-users] ICMP Ping NMAP troubleshooting [snort-users-admin at lists.sourceforge.net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List] ['snort' in Pass-Through List]

Erek Adams erek at ...950...
Tue May 20 08:26:24 EDT 2003


On Tue, 20 May 2003, Stephen W. Thomas wrote:

>> "Let's massage this a bit:
>>
>>   pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8;
>>   sid:1000469; rev:1;)"
>>
> Doesn't this in effect ignore all ICMP Ping from anyone to anyone on my
> network?

Not exactly.  It ignores ICMP type 8 (pings) with a dsize of 0.  NMAP
pings don't have a payload, hence the dsize of 0.  Other pings have a
payload of some sort, or of some pattern.

> I would think I still want to be aware of ICMP Pings to the
> other hosts on my net, just not the one I'm ware of. Would this work?
>
>   pass icmp $EXTERNAL_NET any -> $HOME_NET !foo (dsize: 0; itype: 8;
>   sid:1000469; rev:1;)
>
> Where "foo" is the IP address for my server that's getting the known
> pings. I would think this woudl still alert on ICMP Pings to other hosts
> on my network just not to foo.

Excellent!  Now you're starting to think of ways to make it a 'tighter
rule'!  Woo-Hoo!  :)  Sadly, the rule you have wouldn't work quite as you
expect.  The !foo would translate to 'not port foo' instead of 'not host
foo'....  And you wouldn't want it as 'not host foo' since that would pass
all of that traffic to all hosts _except_ foo.

If you wanted it a bit tighter:

	pass icmp $EXTERNAL_NET any -> $SENSOR_IP any (dsize: 0; itype 8;
	sid: 1000469; rev:1);

Or maybe even better, since you only are dealing with these on your
internal network:

	pass icmp $HOME_NET any -> $SENSOR_IP any (dsize: 0; itype 8;
        sid: 1000469; rev:1);

Or if you really want to get fancy:

	var NOISY_SERVERS [10.10.10.10/32, 10.10.10.19/32, 192.168.1.0/24]
	pass icmp $NOISY_SERVERS any -> $SENSOR_IP any (dsize: 0; itype 8;
        sid: 1000469; rev:1);

Check out the second chapter [0] of the Snort Users Manual [1], as it
covers rule quite a bit.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2
[1]	http://www.snort.org/docs/writing_rules/






More information about the Snort-users mailing list