Snort mailing list archives
RE: *NIX ping alerts
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Mon, 24 Jun 2002 16:30:39 -0400
Jason, Just examine the rule(s) that are triggering alerts and write a simple pass rule for the source and destination. See the docs for guidelines on writing rules <http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2>. And if you're watching the wire between your firewall and your router, and the firewall performs NAT, then the source should be on the same network as your router's Ethernet interface. Again, look at the alerts and you'll see the source address that's setting things off. Not sure how a NAT'd packet from a single monitoring node could have one of 256 addresses. Sounds fishy... Cheers Keith -----Original Message----- From: Jason Gauthier [mailto:jgauthier () lastar com] Sent: Monday, June 24, 2002 4:15 PM To: snort-users () lists sourceforge net Subject: [Snort-users] *NIX ping alerts Greetings- I'm using snort between my WAN router and my firewall, so I am seeing a good amount of traffic. Fortunatly, it's not TOO overwhelming. However, I have a box on the inside running Nagios (formerly Netsaint) that pings my WAN router, to make sure it's up and measure the traffic. I would really like to remove the alerts for this. Is there anyway? It is a bit complicated, because the firewall does NAT. Which means it looks like it could be coming from any of my 256 addresses. Thanks, Jason ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- *NIX ping alerts Jason Gauthier (Jun 24)
- <Possible follow-ups>
- RE: *NIX ping alerts McCammon, Keith (Jun 24)
- RE: *NIX ping alerts Jason Gauthier (Jun 24)
- RE: *NIX ping alerts McCammon, Keith (Jun 24)
- RE: *NIX ping alerts Jason Gauthier (Jun 24)