Snort mailing list archives
Re: trace files filling with ICMP
From: Phil Wood <cpw () lanl gov>
Date: Thu, 27 Dec 2001 14:14:55 -0700
Normally, when indicating a version one shows the output of the version switch (there are numerous 1.8's out there, some which can create malformed packets. Your best bet, in getting help from the list is to have first read the BUGS file, and including the appropriate information from there along with the version: # snort -V to assist others in helping you get a grip. Just because it's Christmas week, I'll ask you to fill in the blanks. An asterisk would be relevant in your case, two asterisks, even more so: ** Snort version: * System Architecture (Sparc, x86, etc): ** Operating System and version (Linux 2.0.22, IRIX 5.3, etc): ** What rules (if any) you were using: ** What command line switches you were using: * Any Snort error messages: On Wed, Dec 26, 2001 at 06:13:11PM -0500, Sheahan, Paul (PCLN-NW) wrote:
Hello, I have Snort 1.8 running on Red Hat Linux 7.0. I just downloaded the latest Snort rules and also installed the latest snort.conf from the archive. My trace files are huge (700 meg) and looking in them I see a lot of traces like below, though my reports aren't showing any ICMP stuff. For some reason the trace feature is gathering all ICMP traffic and it's making the logs unmanagable. Anyone know how to get rid of this? Thanks! =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/23-00:16:14.370558 10.10.10.10 -> 200.200.200.200 ICMP TTL:254 TOS:0x0 ID:12291 IpLen:20 DgmLen:28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- trace files filling with ICMP Sheahan, Paul (PCLN-NW) (Dec 26)
- Re: trace files filling with ICMP Phil Wood (Dec 27)
- <Possible follow-ups>
- RE: trace files filling with ICMP Sheahan, Paul (PCLN-NW) (Dec 28)
- Re: trace files filling with ICMP Phil Wood (Dec 28)
- RE: trace files filling with ICMP Ofir Arkin (Dec 30)
- Re: trace files filling with ICMP Phil Wood (Dec 28)