Snort mailing list archives
Re: ICMP / drop.
From: Ralf Spenneberg <lists () spenneberg org>
Date: 09 Oct 2003 08:44:07 +0200
Am Don, 2003-10-09 um 08.13 schrieb Rudi Starcevic:
I'm trying to drop all icmp/ping packets on my Debian box in the US. I'm in Australia. /sbin/iptables --append INPUT -p icmp -s ! 127.0.0.1/32 -j DROP
This works fine from my side. I'm unable to get any Ping responses. However some are still getting through. Here is a sample Snort log alert. [**] ICMP PING CyberKit 2.2 Windows [**] 10/08-22:42:48.897689 4.34.170.219 -> 64.235.238.29 ICMP TTL:114 TOS:0x0 ID:10694 IpLen:20 DgmLen:92 Type:8 Code:0 ID:768 Seq:59374 ECHO
Snort uses libpcap. This library sees the packets before they are filtered. Even if you filter the packet in the input chain tcpdump and snort still sees the packet!
How can I make it so my machine replies to *no* icmp packets ?
If you want to stop the replies you have to use iptables -A OUTPUT -p icmp -j DROP Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP / drop. Rudi Starcevic (Oct 09)
- Re: ICMP / drop. Ralf Spenneberg (Oct 09)
- Re: ICMP / drop. Rudi Starcevic (Oct 09)
- Re: ICMP / drop. Edin Dizdarevic (Oct 09)
- Re: ICMP / drop. Rudi Starcevic (Oct 09)
- Re: ICMP / drop. Edin Dizdarevic (Oct 09)
- Re: ICMP / drop. Rudi Starcevic (Oct 09)
- Re: ICMP / drop. Ralf Spenneberg (Oct 09)