[Snort-users] Surpress ICMP messages between two internal IP's (pass rule)
Keith W. McCammon
mccammon at ...11827...
Sun Jul 25 14:37:02 EDT 2004
> alerts (logging), what I need to know how to do is to define a pass rule
> for this type of traffic going to 10.1.1.21 and 10.1.1.23 (which are
> the IP address it is tripping on) from 172.21.x.x, is there a good example on
> this is done)? (172.21.x.x usually consists of workstation traffic from one
> office, and 10.1.1.x are servers, as a general rule).
See this response to your previous post. Writing pass rules is, in
general, a less efficient method in the long run. You should be using
suppress. See this response to one of your previous posts:
If you must write a pass rule, just copy and paste the offending rule,
changing the source and destination accordingly. Then start snort
with the -o option, so that pass rules are processed first.
> Does the Snort 2.1 book show good examples of these things, I've been meaning
> to buy it, but don't know if it would apply with the new 2.2 series being
> worked on?
Either solution is very simple. Just read the documentation. The
book is neat and all, but these are one- and two-line config or rule
More information about the Snort-users