Snort mailing list archives
RE: ICMP Large Packets Alerts
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Fri, 22 Mar 2002 15:29:20 -0500
I'm receiving a flood of alerts from Digital Island that pings my DNS servers. This ping comes in from 100+ different IPs all owned by Digital Island who own the datacenter I have a few boxes in. Is there a way to filter out packets with this beginning in them for Snort?
I am sure there are a couple of ways, this is what I would do: .......................... # snort <options> - F <name and loc of BPF filter> The contents of the filter will depend on what you wish to drop. To drop all icmp from DI the following would do: not (icmp and net <enter Digital Island NET>) Or to just drop "echo request and reply" the following would work: not ( net <enter Digital Island's NET> and (icmp[0:1]=8 or icmp[0:1]=0)) * icmp type 0 = echo reply, type 8=echo request * see your local manpage for more BPF info ;-) ........................... This way snort drops the packets before any analysis is attempted. Hope this helps.. - Jeff _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Large Packets Alerts Kevin L Pawloski (Mar 22)
- <Possible follow-ups>
- RE: ICMP Large Packets Alerts Wirth, Jeff (Mar 22)