[Snort-users] Tuning snort false positives

prabu prabu333 at ...8908...
Tue Nov 16 01:01:05 EST 2004

>In the process of tuning snort I want to disable all the Icmp alerts.

>In acid I see many alerts like this:

>snort] ICMP Destination Unreachable Communication Administratively Prohibited   

>I entered to /etc/snort/rules/bad-traffic.rules but didn't saw nothing regarding ICMP !!!

 Simply getinto ur snort configuration file,comment out icmp.rules.Then restart ur snort.

To make it much easier,

open the snort.conf in ur favourite editor

move to the line number :  521

it will be like this

include $RULE_PATH/icmp.rules

then u have change it to:

#include $RULE_PATH/icmp.rules

>alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;) 

 >I cant find this and exclude it !!

 >Where is it?

This rule will be present in the file /urpath/rule/icmp.rules

Senthil Prabu.S

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041116/37983ec4/attachment.html>

More information about the Snort-users mailing list