Snort mailing list archives
Re: Speedera Alerts
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 25 Mar 2002 10:31:08 -0800 (PST)
On Mon, 25 Mar 2002, Kevin L Pawloski wrote:
My Snort logs are being flooded with Speedera Alerts. This is to be expected since they are pinging one of my DNS servers =) Except for some reason the rule I am using is not filtering out any of their packets. Here is what I have in my icmp rules and a sample packet. alert ICMP any any -> any any (msg:"PING Speedera"; content: "|3839 3A3B 3C3D 3E3F|"; itype: 8; ) 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 ............... 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 ........ !"#$%&' 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 ()*+,-./01234567 38 39 3A 3B 3C 3D 3E 3F 89:;<=>? Any ideas?
Well, if that rule is in your ruleset, and you are getting those pings--It should fire. It's an 'alert' rule. Alert rules do just that--Alert! :) Now if you wanted to ignore it, then copy the rule, change 'alert' to 'pass' and then start snort with a -o parameter. Should do it.... ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Speedera Alerts Kevin L Pawloski (Mar 25)
- Re: Speedera Alerts Erek Adams (Mar 25)
- Re: Speedera Alerts james (Mar 25)
- <Possible follow-ups>
- RE: Speedera Alerts Luo, Feng (Exchange) (Mar 26)
- RE: Speedera Alerts Erek Adams (Mar 26)