Snort mailing list archives
RE: How to ignore ping/icmp traffic to-from a host
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Tue, 26 Feb 2002 12:37:03 -0500
One way to solve your problem: 1) Find the rule that is being triggered by your node monitor, and look at the attributes. 2) Edit your local.rules file, adding a "pass" rule using the appropriate source, destination, and traffic attributes. Also, if your node monitor is checking a number of hosts, you may want to create a variable in your snort.conf file to use as the destination in the rule (something like "var ALLOW_ICMP [x.x.x.3/32,x.x.x.4/32]"). 3) Start snort with "-o", so that pass rules are processed before alert rules. There are a number of ways to do this, but I've found that you're usually better off using local.rules, so that you have a single file with all of the necessary customizations for your site. Less work at the command line, and easy to "take with you" when testing new rulesets, distributions, etc. Cheers Keith _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to ignore ping/icmp traffic to-from a host Steve Tyrol (Feb 26)
- Re: How to ignore ping/icmp traffic to-from a host Alex Pinheiro Machado Rodrigues (Feb 26)
- <Possible follow-ups>
- RE: How to ignore ping/icmp traffic to-from a host McCammon, Keith (Feb 26)