[Snort-users] PP not ignoring ICMP

JJC cummingsj at ...11827...
Fri Apr 8 18:20:39 EDT 2011


Those rules don't live in icmp.rules, they live in icmp-info.rules, so you
would have to also ignore icmp-info.rules.

JJC

On Fri, Apr 8, 2011 at 4:13 PM, Agus <agus.262 at ...11827...> wrote:

> Hey JJ..
>
> this ones
>
>  [1:368:6] ICMP PING BSDtype  [Classification: Misc activity]
> [Priority: 3]: {ICMP}
> [1:369:6] ICMP PING BayRS Router  [Classification: Misc activity]
> [Priority: 3]: {ICMP}
>  [1:373:6] ICMP PING Flowpoint2200 or Network Management Software
> [Classification: Misc activity] [Priority: 3]: {ICMP}
>
> Thanks
>
> 2011/4/8 JJC <cummingsj at ...11827...>:
> > What SIDs were you seeing fire?
> >
> > On Fri, Apr 8, 2011 at 3:59 PM, JJC <cummingsj at ...11827...> wrote:
> >>
> >> I'll test right quick and let you know what I find... that error just
> >> indicates that you have an outdated LWP::UserAgent perl module, should
> not
> >> affect the area that you are having issues with.
> >>
> >> JJC
> >>
> >> On Fri, Apr 8, 2011 at 3:53 PM, Agus <agus.262 at ...11827...> wrote:
> >>>
> >>> Hi guys,
> >>>
> >>> I cant make PP ignore icmp rules. Im running PP-060. snort 2.9.0.3
> >>>
> >>> I have this line in my pulledpork.conf
> >>>
> >>>
> ignore=deleted.rules,experimental.rules,local.rules,icmp.rules,emerging-drop-BLOCK,emerging-compromised-BLOCK,emerging-dshield-BLOCK,emerging-botcc-BLOCK,emerging-rbn-BLOCK,emerging-tor-BLOCK
> >>>
> >>> I have also tried with icmp only and same issue. still getting the
> >>> icmp alerts and seeing them in the snort.rules.
> >>>
> >>> pulledpork.pl -n -c etc/pulledpork.conf -T -v
> >>> shows:
> >>>        ignore =
> >>>
> deleted.rules,experimental.rules,local.rules,icmp.rules,emerging-drop-BLOCK,emerging-compromised-BLOCK,emerging-dshield-BLOCK,emerging-botcc-BLOCK,emerging-rbn-BLOCK,emerging-tor-BLOCK
> >>>
> >>> then it gives me an error, probably something with the perl module.
> >>> Can't locate object method "show_progress" via package
> >>> "LWP::UserAgent" at ./pulledpork.pl line 1651.
> >>>
> >>> Still ICMP rules in snort.rules
> >>>
> >>> Any thoughts?
> >>>
> >>> Cheers
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Xperia(TM) PLAY
> >>> It's a major breakthrough. An authentic gaming
> >>> smartphone on the nation's most reliable network.
> >>> And it wants your games.
> >>> http://p.sf.net/sfu/verizon-sfdev
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110408/dd549fe8/attachment.html>


More information about the Snort-users mailing list