Snort mailing list archives

Re: ICMP logs

From: Neil Dickey <neil () geol niu edu>
Date: Fri, 25 May 2001 10:28:03 -0500 (CDT)


jan () hundert6 de wrote asking:

I've tried to write a pass rule for ICMP type 3 code 3 from my
border router to my firewall. 

It looks like this:

pass icmp my.border.router/32 any -> my.fire.wall/32 any (itype:"3";icode:"3";)

Snort doesn't complain and starts nicely, but keeps logging
them, although I DID specify -o. 

Version's 1.7, Platform FreeBSD 4.2 STABLE. 

Any suggestions? Drives me mad.


I don't know that this would cause a problem, but my "itype" specifications
look like this ...

  itype: 3;

... rather than with the quotes and no space.

Did you comment out the rule that alerts on these packets, or alter it so
that it wouldn't see them?  I think I would have tried that before writing
a pass rule.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP logs jan (May 25)
- RE: ICMP logs jan (May 25)
- <Possible follow-ups>
- Re: ICMP logs Neil Dickey (May 25)
  - Re: ICMP logs jan (May 25)