RE: How to ignore ping/icmp traffic to-from a host

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

One way to solve your problem:

1) Find the rule that is being triggered by your node monitor, and look
at the attributes.

2) Edit your local.rules file, adding a "pass" rule using the
appropriate source, destination, and traffic attributes.  Also, if your
node monitor is checking a number of hosts, you may want to create a
variable in your snort.conf file to use as the destination in the rule
(something like "var ALLOW_ICMP [x.x.x.3/32,x.x.x.4/32]").

3) Start snort with "-o", so that pass rules are processed before alert
rules.

There are a number of ways to do this, but I've found that you're
usually better off using local.rules, so that you have a single file
with all of the necessary customizations for your site.  Less work at
the command line, and easy to "take with you" when testing new rulesets,
distributions, etc.

Cheers

Keith

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users