Snort mailing list archives
Question about "pass" sigs...
From: "Vazquez, Ed" <Ed.Vazquez () dhha org>
Date: Thu, 25 Oct 2001 16:20:26 -0600
OK, someone tell me that I've either hosed this up, or at least that I'm not crazy... My manglement wants me to run _all_ the signatures "for a while." Now, we have an internal tool called "What's Up Gold" that is used by the net team to ping the external border router in an effort to alert them if it stops responding to ping or "goes down." Now, WUGold runs on Microsoft, and the bogus alert I am seeing are the "ICMP Ping Microsoft Windows" and "ICMP Echo Reply" for each time (every 5 min) that all machines running WUGold "check" the border router. This is a bit annoying, and is filling my database. So, I created rules at the top of of icmp-info.rules that read: pass icmp 204.131.207.148/30 any -> 205.170.235.246/32 any (msg:"Border router What'sUp Gold Reply";itype:0;icode:0;) pass icmp 205.170.235.246/32 any -> 204.131.207.148/30 any (msg:"Border router What'sUp Gold Request";content:"|303132333435363738396162636465666768696a6b6c6d6e6f70| ";itype:8;depth:32;) Where 205.170.235.246 is the external NAT address, and 204.131.207.149 and .150 (therefore the .248/30 subnet) are the border router and it's failover partner. And yet, with no errors reported by Snort, I _still_ am getting the MS Windows ping and reply from the addresses that are allegedly being excluded. And yes, I do start snort with the "-o" option. Any ideas? Did I flub the rules? -- Ed Vázquez "Abandon shop! Abandon shop! This is not a daffodil!" --Holly in "Demons & Angels", Red Dwarf series V
Attachment:
DHHA Email Policy.txt
Description:
Current thread:
- Question about "pass" sigs... Vazquez, Ed (Oct 25)