[Snort-users] Commented rule triggering alerts

Joao Daniel Neves joaodanielnevesss at ...125...
Wed Apr 10 16:36:53 EDT 2013

Joel Esler,
I'm not using pulledpork!

Waldo Kitty, 
I sorry I did not know that. The rule is 1:381. (http://www.snort.org/search/sid/1-381)

Y M,
I dont have protocol-icmp.rules file.  

As the guys can see the rule is commented:
### alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP-INFO PING Oracle Solaris"; dsize:8; itype:8; classtype:misc-activity; sid:381; rev:9;)

What I think is a little stranger according to Snort site this rule is trigged when  "... when an ICMP echo request is made from a Solaris host running SING software."

As the guys can see I dont have any reference to that SING software on the rule. I don't know if it makes sense. 

To: joaodanielnevesss at ...125...; snort-users at lists.sourceforge.net
From: snort at ...15979...
Subject: RE: [Snort-users] Commented rule triggering alerts
Date: Wed, 10 Apr 2013 23:20:26 +0300

Which ruleset are you using? icmp-info.rules and icmp.rules have been consolidated under a new rules file with the name: protocol-icmp.rules

Joao Daniel Neves

‎4/‎10/‎2013 10:54 PM

snort-users at lists.sourceforge.net

[Snort-users] Commented rule triggering alerts


I have a lot of ICMP/Ping alerts. So I decided to remove the rule that was triggering those alerts. The  sid of the rule is 381.

I  did the following:

cd /etc/snort/rules

grep -wril 'sid:381' ./*


vim icmp-info.rules

I found the line and then commented it by placing an "#" in the begging of the line. I stopped Snort and then stated it again.

And I still get alert for that SID. What can I do to solve it ? 

Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130410/00e1db50/attachment.html>

More information about the Snort-users mailing list