[Snort-users] icmp pass rules

Stephen Reese rsreese at ...11827...
Fri Oct 24 10:33:20 EDT 2008


Last one I hope, I'm already using a few pass rules:

#Ignore redirects from the main router to internet gateway
var 3825ROUTER [172.31.1.1/32]
pass icmp $3825ROUTER any -> $HOME_NET any

#Chatty Minolta copiers
var DI200 [172.31.1.223/32,172.31.1.240/32]
pass icmp $DI200 any -> $3825ROUTER any

If I decide to check out suppression is it viable to us it for all of
my 'passing' needs?

On Fri, Oct 24, 2008 at 10:24 AM, Joel Esler <joel.esler at ...1935...> wrote:
> It all depends on the situation. But in this case it's rather easy. Use a
> suppression.
>
> --
> Joel Esler
> Sent from my iPhone
>
> On Oct 24, 2008, at 9:14 AM, "Stephen Reese" <rsreese at ...11827...> wrote:
>
>> On Fri, Oct 24, 2008 at 9:06 AM, Joel Esler <eslerj at ...11827...> wrote:
>>>
>>> No, why would say that?  Less of a penalty than a pass rule.
>>>
>>
>> John Gay mentioned using:
>>
>>> You could use the itype and icode options.  I believe an echo reply would
>>> be type 0 code 0.
>>
>> So I'm assuming can can still use pass rules by adding more information.
>>
>> The real question is why do pass rules even exist if you could use
>> suppression instead and not have the performance penalty.
>>
>> Thanks for everyone's time in advance...
>




More information about the Snort-users mailing list