[Snort-users] Surpress ICMP messages between two internal IP's (pass rule)

Keith W. McCammon mccammon at ...11827...
Sun Jul 25 14:37:02 EDT 2004


> alerts (logging), what I need to know how to do is to define a pass rule
> for this type of traffic going to 10.1.1.21 and 10.1.1.23 (which are
> the IP address it is tripping on) from 172.21.x.x, is there a good example on
> this is done)?  (172.21.x.x usually consists of workstation traffic from one
> office, and 10.1.1.x are servers, as a general rule).

See this response to your previous post.  Writing pass rules is, in
general, a less efficient method in the long run.  You should be using
suppress.  See this response to one of your previous posts:
http://archives.neohapsis.com/archives/snort/2004-07/0378.html.

If you must write a pass rule, just copy and paste the offending rule,
changing the source and destination accordingly.  Then start snort
with the -o option, so that pass rules are processed first.
 
> Does the Snort 2.1 book show good examples of these things, I've been meaning
> to buy it, but don't know if it would apply with the new 2.2 series being
> worked on?

Either solution is very simple.  Just read the documentation.  The
book is neat and all, but these are one- and two-line config or rule
changes.




More information about the Snort-users mailing list