Question about "pass" sigs...

["Vazquez, Ed" <Ed.Vazquez () dhha org>]

OK, someone tell me that I've either hosed this up, or at
least that I'm not crazy...

My manglement wants me to run _all_ the signatures "for a
while."  Now, we have an internal tool called "What's Up
Gold" that is used by the net team to ping the external
border router in an effort to alert them if it stops responding
to ping or "goes down."

Now, WUGold runs on Microsoft, and the bogus alert I am seeing
are the "ICMP Ping Microsoft Windows" and "ICMP Echo Reply"
for each time (every 5 min) that all machines running WUGold
"check" the border router.  This is a bit annoying, and is
filling my database.

So, I created rules at the top of of icmp-info.rules that read:

pass icmp 204.131.207.148/30 any -> 205.170.235.246/32 any (msg:"Border
router What'sUp Gold Reply";itype:0;icode:0;)
pass icmp 205.170.235.246/32 any -> 204.131.207.148/30 any (msg:"Border
router What'sUp Gold
Request";content:"|303132333435363738396162636465666768696a6b6c6d6e6f70|
";itype:8;depth:32;)

Where 205.170.235.246 is the external NAT address, and
204.131.207.149 and .150 (therefore the .248/30 subnet) are
the border router and it's failover partner.

And yet, with no errors reported by Snort, I _still_ am getting
the MS Windows ping and reply from the addresses that are
allegedly being excluded.

And yes, I do start snort with the "-o" option.

Any ideas?  Did I flub the rules?

-- 
Ed Vázquez

"Abandon shop! Abandon shop! This is not a daffodil!"
--Holly in "Demons & Angels", Red Dwarf series V

Attachment: DHHA Email Policy.txt
Description: