Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ICMP Large Packets Alerts

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Fri, 22 Mar 2002 15:29:20 -0500


I'm receiving a flood of alerts from Digital Island that pings my DNS
servers. This ping comes in from 100+ different IPs all owned by Digital
Island who own the datacenter I have a few boxes in. Is there a way to
filter out packets with this beginning in them for Snort?


I am sure there are a couple of ways, this is what I would do:

..........................

# snort <options> - F <name and loc of BPF filter>

The contents of the filter will depend on what you wish to drop.  To drop
all icmp from DI the following would do:

not (icmp and net <enter Digital Island NET>) 

Or to just drop "echo request and reply" the following would work:

not ( net <enter Digital Island's NET> and (icmp[0:1]=8 or icmp[0:1]=0))

* icmp type 0 = echo reply, type 8=echo request 

* see your local manpage for more BPF info ;-)

...........................

This way snort drops the packets before any analysis is attempted.

Hope this helps..

- Jeff

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: