Snort mailing list archives
Re: Surpress ICMP messages between two internal IP's (pass rule)
From: Chris Keladis <chris () cmc optus net au>
Date: Sat, 24 Jul 2004 09:41:47 +1000
Hi Bill,You can use a "suppress" rule on the SIDs that are firing to safely ignore these ICMP messages to/from your DCs without disabling the rule alltogether.
http://www.snort.org/docs/snort_manual/node19.html Regards, Chris. dogbert () netnevada net wrote:
Hi All,I doing some more research, it turns out that the offenders are windows domain controllers causing snort to see:ICMP Large ICMP Packet <--- used by windows domain controllers to determine the speed of a given link (in this case, the VPN we use).ICMP L3retriever Ping ICMP PING NMAP alerts (logging), what I need to know how to do is to define a pass rule for this type of traffic going to 10.1.1.21 and 10.1.1.23 (which arethe IP address it is tripping on) from 172.21.x.x, is there a good example on this is done)? (172.21.x.x usually consists of workstation traffic from one office, and 10.1.1.x are servers, as a general rule).Does the Snort 2.1 book show good examples of these things, I've been meaning to buy it, but don't know if it would apply with the new 2.2 series being worked on?Bill ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Surpress ICMP messages between two internal IP's (pass rule) dogbert (Jul 23)
- Re: Surpress ICMP messages between two internal IP's (pass rule) Chris Keladis (Jul 23)
- RE: Surpress ICMP messages between two internal IP's (pass rule) Kenneth Trimmmer (Jul 26)
- Re: Surpress ICMP messages between two internal IP's (pass rule) Keith W. McCammon (Jul 26)
- RE: Surpress ICMP messages between two internal IP's (pass rule) Kenneth Trimmmer (Jul 26)
- Re: Surpress ICMP messages between two internal IP's (pass rule) Keith W. McCammon (Jul 25)
- Re: Surpress ICMP messages between two internal IP's (pass rule) Chris Keladis (Jul 23)