[Snort-users] icmp pass rules

Stephen Reese rsreese at ...11827...
Fri Oct 24 09:14:14 EDT 2008


On Fri, Oct 24, 2008 at 9:06 AM, Joel Esler <eslerj at ...11827...> wrote:
> No, why would say that?  Less of a penalty than a pass rule.
>

John Gay mentioned using:

>You could use the itype and icode options.  I believe an echo reply would be type 0 code 0.

So I'm assuming can can still use pass rules by adding more information.

The real question is why do pass rules even exist if you could use
suppression instead and not have the performance penalty.

Thanks for everyone's time in advance...




More information about the Snort-users mailing list