[Snort-users] PP not ignoring ICMP

Agus agus.262 at ...11827...
Fri Apr 8 18:13:23 EDT 2011


Hey JJ..

this ones

 [1:368:6] ICMP PING BSDtype  [Classification: Misc activity]
[Priority: 3]: {ICMP}
[1:369:6] ICMP PING BayRS Router  [Classification: Misc activity]
[Priority: 3]: {ICMP}
 [1:373:6] ICMP PING Flowpoint2200 or Network Management Software
[Classification: Misc activity] [Priority: 3]: {ICMP}

Thanks

2011/4/8 JJC <cummingsj at ...11827...>:
> What SIDs were you seeing fire?
>
> On Fri, Apr 8, 2011 at 3:59 PM, JJC <cummingsj at ...11827...> wrote:
>>
>> I'll test right quick and let you know what I find... that error just
>> indicates that you have an outdated LWP::UserAgent perl module, should not
>> affect the area that you are having issues with.
>>
>> JJC
>>
>> On Fri, Apr 8, 2011 at 3:53 PM, Agus <agus.262 at ...11827...> wrote:
>>>
>>> Hi guys,
>>>
>>> I cant make PP ignore icmp rules. Im running PP-060. snort 2.9.0.3
>>>
>>> I have this line in my pulledpork.conf
>>>
>>> ignore=deleted.rules,experimental.rules,local.rules,icmp.rules,emerging-drop-BLOCK,emerging-compromised-BLOCK,emerging-dshield-BLOCK,emerging-botcc-BLOCK,emerging-rbn-BLOCK,emerging-tor-BLOCK
>>>
>>> I have also tried with icmp only and same issue. still getting the
>>> icmp alerts and seeing them in the snort.rules.
>>>
>>> pulledpork.pl -n -c etc/pulledpork.conf -T -v
>>> shows:
>>>        ignore =
>>> deleted.rules,experimental.rules,local.rules,icmp.rules,emerging-drop-BLOCK,emerging-compromised-BLOCK,emerging-dshield-BLOCK,emerging-botcc-BLOCK,emerging-rbn-BLOCK,emerging-tor-BLOCK
>>>
>>> then it gives me an error, probably something with the perl module.
>>> Can't locate object method "show_progress" via package
>>> "LWP::UserAgent" at ./pulledpork.pl line 1651.
>>>
>>> Still ICMP rules in snort.rules
>>>
>>> Any thoughts?
>>>
>>> Cheers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Xperia(TM) PLAY
>>> It's a major breakthrough. An authentic gaming
>>> smartphone on the nation's most reliable network.
>>> And it wants your games.
>>> http://p.sf.net/sfu/verizon-sfdev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>




More information about the Snort-users mailing list