Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Speedera Alerts

From: "Luo, Feng (Exchange)" <fengluo () bear com>
Date: Tue, 26 Mar 2002 10:36:46 -0500
Erek, could you explain what the dangers about these Speedera Alerts are, I
got a lot too.

thanks,
feng

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Monday, March 25, 2002 1:31 PM
To: Kevin L Pawloski
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Speedera Alerts


On Mon, 25 Mar 2002, Kevin L Pawloski wrote:


My Snort logs are being flooded with Speedera Alerts. This is to be
expected since they are pinging one of my DNS servers =) Except for some
reason the rule I am using is not filtering out any of their packets.
Here is what I have in my icmp rules and a sample packet.

alert ICMP any any -> any any (msg:"PING Speedera"; content: "|3839 3A3B
3C3D 3E3F|"; itype: 8; )

08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17   ...............
18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27   ........ !"#$%&'
28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37   ()*+,-./01234567
38 39 3A 3B 3C 3D 3E 3F                           89:;<=>?

Any ideas?


Well, if that rule is in your ruleset, and you are getting those pings--It
should fire.  It's an 'alert' rule.  Alert rules do just that--Alert!  :)

Now if you wanted to ignore it, then copy the rule, change 'alert' to 'pass'
and then start snort with a -o parameter.

Should do it....

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


****************************************************************
Bear Stearns is not responsible for any recommendation, solicitation, 
offer or agreement or any information about any transaction, customer 
account or account activity contained in this communication.
***********************************************************************


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: