[Snort-users] icmp pass rules

Joel Esler eslerj at ...11827...
Fri Oct 24 09:06:15 EDT 2008


No, why would say that?  Less of a penalty than a pass rule.

On Fri, Oct 24, 2008 at 9:02 AM, Stephen Reese <rsreese at ...11827...> wrote:

> I would assume there's a pretty large penalty for using suppression?
>
> http://www.snort.org/docs/snort_htmanuals/htmanual_260/node24.html
>
> On Fri, Oct 24, 2008 at 7:59 AM, Joel Esler <joel.esler at ...1935...>
> wrote:
> > You should suppression.
> >
> > --
> > Joel Esler
> > Sent from my iPhone
> >
> > On Oct 24, 2008, at 1:35 AM, "Stephen Reese" <rsreese at ...11827...> wrote:
> >
> >> I would like pass echo reply's on the internal network but not all
> >> ICMP traffic. Currently my rule passes all of the internal ICMP
> >> traffic, it there a way to be specific when creating a pass a rule
> >> with ICMP?
> >>
> >> var HOME_NET
> >> [172.31.1.0/24,172.31.2.0/24,172.31.3.0/24,172.31.4.0/24,172.31.5.0/24]
> >>
> >> #Who cares if internal hosts are pinging each other
> >> pass icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP Echo Reply";
> >> sid:1000002;)
> >>
> >> Thanks
> >>
> >> On Wed, Oct 22, 2008 at 2:02 PM, Stephen Reese <rsreese at ...11827...>
> wrote:
> >>>
> >>> On Wed, Oct 22, 2008 at 1:32 PM, Joel Esler <eslerj at ...11827...> wrote:
> >>>>
> >>>> Your rules have no "sid" keyword in them. You must put an sid number
> in
> >>>> there above 1 million.
> >>>> J
> >>>
> >>> Thank you Joel, got it with the following:
> >>>
> >>> #Ignore redirects from the main router
> >>> var 3825ROUTER [172.31.1.1/32]
> >>> pass icmp $3825ROUTER any -> $HOME_NET any (msg:"ICMP Destination
> >>> Unreachable Protocol Unreachable"; sid:1000000;)
> >>>
> >>> #Chatty Minolta copiers
> >>> var DI200 [172.31.1.223/32,172.31.1.240/32]
> >>> pass icmp $DI200 any -> $3825ROUTER any (msg:"ICMP redirect net";
> >>> sid:1000001;)
> >>>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081024/6f19521a/attachment.html>


More information about the Snort-users mailing list