[Snort-users] icmp pass rules
rsreese at ...11827...
Fri Oct 24 10:33:20 EDT 2008
Last one I hope, I'm already using a few pass rules:
#Ignore redirects from the main router to internet gateway
var 3825ROUTER [172.31.1.1/32]
pass icmp $3825ROUTER any -> $HOME_NET any
#Chatty Minolta copiers
var DI200 [172.31.1.223/32,172.31.1.240/32]
pass icmp $DI200 any -> $3825ROUTER any
If I decide to check out suppression is it viable to us it for all of
my 'passing' needs?
On Fri, Oct 24, 2008 at 10:24 AM, Joel Esler <joel.esler at ...1935...> wrote:
> It all depends on the situation. But in this case it's rather easy. Use a
> Joel Esler
> Sent from my iPhone
> On Oct 24, 2008, at 9:14 AM, "Stephen Reese" <rsreese at ...11827...> wrote:
>> On Fri, Oct 24, 2008 at 9:06 AM, Joel Esler <eslerj at ...11827...> wrote:
>>> No, why would say that? Less of a penalty than a pass rule.
>> John Gay mentioned using:
>>> You could use the itype and icode options. I believe an echo reply would
>>> be type 0 code 0.
>> So I'm assuming can can still use pass rules by adding more information.
>> The real question is why do pass rules even exist if you could use
>> suppression instead and not have the performance penalty.
>> Thanks for everyone's time in advance...
More information about the Snort-users