[Snort-users] Tuning snort false positives
Juan.Fernandez at ...2210...
Mon Nov 15 14:34:04 EST 2004
In the process of tuning snort I want to disable all the Icmp alerts.
In acid I see many alerts like this:
[ <http://www.snort.org/snort-db/sid.html?sid=485> snort] ICMP Destination
Unreachable Communication Administratively Prohibited
I entered to /etc/snort/rules/bad-traffic.rules but didn't saw nothing
regarding ICMP !!!
Also, in acid the link to snort that shows the rule's detail which is:
alert icmp any any -> any any (msg:"ICMP Destination Unreachable
Communication Administratively Prohibited"; icode:13; itype:3;
classtype:misc-activity; sid:485; rev:4;)
I cant find this and exclude it !!
Where is it?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users