[Snort-users] Surpress ICMP messages between two internal IP's (pass rule)

dogbert at ...11664... dogbert at ...11664...
Fri Jul 23 16:16:07 EDT 2004


Hi All,

   I doing some more research, it turns out that the offenders are windows 
domain controllers causing snort to see:

ICMP Large ICMP Packet <--- used by windows domain controllers to determine the 
speed of a given link (in this case, the VPN we use).

ICMP L3retriever Ping
ICMP PING NMAP

alerts (logging), what I need to know how to do is to define a pass rule
for this type of traffic going to 10.1.1.21 and 10.1.1.23 (which are
the IP address it is tripping on) from 172.21.x.x, is there a good example on 
this is done)?  (172.21.x.x usually consists of workstation traffic from one 
office, and 10.1.1.x are servers, as a general rule).

Does the Snort 2.1 book show good examples of these things, I've been meaning 
to buy it, but don't know if it would apply with the new 2.2 series being 
worked on?

Bill






More information about the Snort-users mailing list