Snort mailing list archives
ICMP false possitives...
From: Paulie <paulie () hayseed net>
Date: Tue, 12 Jun 2001 21:12:49 -0700 (PDT)
Greetings, I run a fair sized home network. It is used mostly for personal purposes and providing certain services to a small community of friends and fellow network professionals. My problem is, having installed ACID I am logging HUGE numbers of ICMP destination unreachables and MISC large ICMP packets. I mean LOTS. I generate like 5-10,000/day. I have examined a random sampling of these and they all appear to be benign. Many seem to be generated by analog, the web log analyzer we use that generates alot of collateral traffic as it runs through the logs (lotso DNS and the like). Lots of the large ICMP packets are generated by folks in network operations that use the server to troubleshoot network issues from outside thier network. When I boil it down it begins to seem sily for me to collect the number of these packets that I am and keep them about. I tend to end up batch deleting them from the MySQL database via ACID. They are still logged via syslog but... So my actual question is do people think it worthwile to continue to log this stuff or just remove those rules from the ruleset. I fully realize that this is somewhat dangerous and that the whole question is VERY relative to what any given person is looking to achive/protect etc. In other words yes it depends on alot of factors but what do people think about not logging much of the ICMP blech that flows by? Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP false possitives... Paulie (Jun 12)
- RE: ICMP false possitives... Ofir Arkin (Jun 13)