[Snort-users] Tuning snort false positives

Juan Fernandez Juan.Fernandez at ...2210...
Mon Nov 15 14:34:04 EST 2004


Hi,

 

In the process of tuning snort I want to disable all the Icmp alerts.

 

In acid I see many alerts like this:

 

  [ <http://www.snort.org/snort-db/sid.html?sid=485> snort] ICMP Destination
Unreachable Communication Administratively Prohibited   

 

I entered to /etc/snort/rules/bad-traffic.rules but didn't saw nothing
regarding ICMP !!!

 

Also, in acid the link to snort that shows the rule's detail which is:

 

alert icmp any any -> any any (msg:"ICMP Destination Unreachable
Communication Administratively Prohibited"; icode:13; itype:3;
classtype:misc-activity; sid:485; rev:4;) 

 

I cant find this and exclude it !!

 

Where is it?

 

Thanks,

 

juan 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041115/f8f158a2/attachment.html>


More information about the Snort-users mailing list