Snort mailing list archives
Stopping particular rules
From: "Bennett Samowich" <brs () ben-tech com>
Date: Mon, 25 Jun 2001 10:58:07 -0400
Greetings, I am getting an exorbitant amount of ICMP alerts and want to temporarily turn them off. I have tried commenting our the include for the ICMP rules from snort.conf as well as adding a pass line to local.rules. Neither of these seem to stop the influx of ICMP alerts. Any ideas on what I am doing wrong? My local.rules has: # Pass any ICMP traffic temporarily pass icmp any any -> any any (msg: "temporarily disabled";) My snort.conf has: ...snip... # Pass any local ICMP traffic # Be sure you have created a local.rules file # for your includes/ignores, etc. #=============================================== include local.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include sql.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-misc.rules include web-iis.rules # include icmp.rules include misc.rules include policy.rules include info.rules include virus.rules # Include the WhiteHats Vision rules here # include vision.rules ...snip... - Bennett _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stopping particular rules Bennett Samowich (Jun 25)
- Re: Stopping particular rules Joe McAlerney (Jun 25)
- Re: Stopping particular rules GeEk (Jun 25)
- <Possible follow-ups>
- RE: Stopping particular rules Kiira Triea (Jun 25)
- Re: Stopping particular rules Joe McAlerney (Jun 25)