[Snort-users] Tuning snort false positives
prabu333 at ...8908...
Tue Nov 16 01:01:05 EST 2004
>In the process of tuning snort I want to disable all the Icmp alerts.
>In acid I see many alerts like this:
>snort] ICMP Destination Unreachable Communication Administratively Prohibited
>I entered to /etc/snort/rules/bad-traffic.rules but didn't saw nothing regarding ICMP !!!
Simply getinto ur snort configuration file,comment out icmp.rules.Then restart ur snort.
To make it much easier,
open the snort.conf in ur favourite editor
move to the line number : 521
it will be like this
then u have change it to:
>alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
>I cant find this and exclude it !!
>Where is it?
This rule will be present in the file /urpath/rule/icmp.rules
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users