Snort mailing list archives

How to Write Snort Rules and Keep Your Sanity...

From: "Hever C. Rocha - N.O.C" <hever () itcbrasil com br>
Date: Wed, 13 Mar 2002 10:03:16 -0300

Hi Snort Users

I am trying to create some rules for the following condition:

I have a network 1.1.1.1/20 (bogus IP !), and I want that all ICMP pings
from this network not be recorded im my sql database, however i want that
the icmp ping from another network be recorded.

I know that have to use the "pass rules" but my rules are not working...

ex: 
 my local.rules

pass icmp any any <> 1.1.1.1/20  any ( not working)
pass icmp any any -> 1.1.1.1/20  any  ( not working)

for while i disable de "ICMP ping" and "ICMP ping undefined" code rules
set, but is not the ideal...

Sugestions ????


Best Regards from Bahia/Brasil

Hever Costa Rocha
N.O.C
55 (73) 234-3029
55 (73) 9133-0107
email: hever () itcbrasil com br
www.itcbrasil.com.br


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to Write Snort Rules and Keep Your Sanity... Hever C. Rocha - N.O.C (Mar 13)
- Re: How to Write Snort Rules and Keep Your Sanity... Chris Green (Mar 13)
- Re: How to Write Snort Rules and Keep Your Sanity... Andreas Hasenack (Mar 13)