[Snort-users] icmp pass rules

Stephen Reese rsreese at ...11827...
Fri Oct 24 12:58:58 EDT 2008


I think I answered my own question. Since suppression seems to only
filter on src or dst it probably doesn't work for everything because I
could still miss packets depending on what I'm trying to skip unless
it's common to write multiple suppression rules:

suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.1
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.1.0/24
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.2.0/24
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.3.0/24
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.4.0/24
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.5.0/24

instead of one pass rule.

pass icmp $3825ROUTER any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3; sid:1000000;)

On Fri, Oct 24, 2008 at 10:33 AM, Stephen Reese <rsreese at ...11827...> wrote:
> Last one I hope, I'm already using a few pass rules:
>
> #Ignore redirects from the main router to internet gateway
> var 3825ROUTER [172.31.1.1/32]
> pass icmp $3825ROUTER any -> $HOME_NET any
>
> #Chatty Minolta copiers
> var DI200 [172.31.1.223/32,172.31.1.240/32]
> pass icmp $DI200 any -> $3825ROUTER any
>
> If I decide to check out suppression is it viable to us it for all of
> my 'passing' needs?
>
> On Fri, Oct 24, 2008 at 10:24 AM, Joel Esler <joel.esler at ...1935...> wrote:
>> It all depends on the situation. But in this case it's rather easy. Use a
>> suppression.
>>
>> --
>> Joel Esler
>> Sent from my iPhone
>>
>> On Oct 24, 2008, at 9:14 AM, "Stephen Reese" <rsreese at ...11827...> wrote:
>>
>>> On Fri, Oct 24, 2008 at 9:06 AM, Joel Esler <eslerj at ...11827...> wrote:
>>>>
>>>> No, why would say that?  Less of a penalty than a pass rule.
>>>>
>>>
>>> John Gay mentioned using:
>>>
>>>> You could use the itype and icode options.  I believe an echo reply would
>>>> be type 0 code 0.
>>>
>>> So I'm assuming can can still use pass rules by adding more information.
>>>
>>> The real question is why do pass rules even exist if you could use
>>> suppression instead and not have the performance penalty.
>>>
>>> Thanks for everyone's time in advance...
>>
>




More information about the Snort-users mailing list