[Snort-users] icmp pass rules

John Gay john.gay at ...1935...
Fri Oct 24 07:49:35 EDT 2008


You could use the itype and icode options.  I believe an echo reply would be
type 0 code 0.

John

On Fri, Oct 24, 2008 at 1:35 AM, Stephen Reese <rsreese at ...11827...> wrote:

> I would like pass echo reply's on the internal network but not all
> ICMP traffic. Currently my rule passes all of the internal ICMP
> traffic, it there a way to be specific when creating a pass a rule
> with ICMP?
>
> var HOME_NET [
> 172.31.1.0/24,172.31.2.0/24,172.31.3.0/24,172.31.4.0/24,172.31.5.0/24]
>
> #Who cares if internal hosts are pinging each other
> pass icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP Echo Reply";
> sid:1000002;)
>
> Thanks
>
> On Wed, Oct 22, 2008 at 2:02 PM, Stephen Reese <rsreese at ...11827...> wrote:
> > On Wed, Oct 22, 2008 at 1:32 PM, Joel Esler <eslerj at ...11827...> wrote:
> >> Your rules have no "sid" keyword in them. You must put an sid number in
> >> there above 1 million.
> >> J
> >
> > Thank you Joel, got it with the following:
> >
> > #Ignore redirects from the main router
> > var 3825ROUTER [172.31.1.1/32]
> > pass icmp $3825ROUTER any -> $HOME_NET any (msg:"ICMP Destination
> > Unreachable Protocol Unreachable"; sid:1000000;)
> >
> > #Chatty Minolta copiers
> > var DI200 [172.31.1.223/32,172.31.1.240/32]
> > pass icmp $DI200 any -> $3825ROUTER any (msg:"ICMP redirect net";
> sid:1000001;)
> >
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081024/29a35a97/attachment.html>


More information about the Snort-users mailing list