Re: "icmp-over-panic"

[Phil Wood <cpw () lanl gov>]

Basil,

I've seen a number of your queries.  And I think the snort community has
given you a lot of help.

What you need to do now is read the following documents with a mind to 
understanding what they say and how snort might apply to your situation.

1. README
2. INSTALL
3. USAGE
4. FAQ
5. SnortUsersManual.pdf
6. <somename>.rules  (Check out the Description in these files.)

Then, you need to ask yourself: "Just what is it do I want to accomplish?".
(actually, you should have asked that question before pulling down snort.)

On Thu, Mar 07, 2002 at 02:19:02PM -0500, Basil Saragoza wrote:

> I just pinged novell.com and received reply from 192.233.80.9
> After that I noticed in ACID entry "ICMP echo reply"
> in snort lan sensor in "misc-acivity" sesction....
> Why should I and why should snort care about the legitimate ping echo
> replies?

Why should you care is a good question to ask yourself.  But, please don't
think that "snort" care's a bit.  It only "cares" because YOU told it to
by leaving a rule or preprocessor in YOUR configuration.  Which brings us
back to:

  What do you want to accomplish?

  One of many answers might be:

    "I want to know if anyone in my network is pinging hosts in the void."

  In this case, you might want to create a database of insiders that are
  using ping.  Why, because they might be "Gathering Information" about
  hosts.  In otherwords they might be actively mapping hosts in the void.
  The next thing you know those systems that replied start seeing more
  nefarious traffic from your inside hosts.  Or, you might get a call from
  a really pissed off network admin that doesn't even speak your language.
  [which is probably a good thing].

However, I think you actually answered your own question when you said:

  "Why should I ... care about the legitimate ping echo".  You just made a
  judgement about the ping echo.  You said it is legitimate.  In that case
  you should find where the rule might be and "comment it out".  For that
  matter take a look at the beginning of the rules file that contains that
  alert and see if you even need to include the specific rule file.  It's OK to
  "comment out" a specific rule or for that matter "comment out" the include
  line for a specific rules file, in your configuration file if the rule or
  even the set of rules is not relavent to YOUR needs.

One further thing you can do is see what snort has to say about the particular
rule you are interested in.  Find the sid for the rule (it's in the alert
"code" in one of the .rules files "sid: num;" ) and do this:

  http://www.snort.org/snort-db/sid.html?id=num

I'm done.

> thx.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users