Snort mailing list archives
Re: icmp i want to ignore
From: Steve Scott <sjscott007 () earthlink net>
Date: 05 Jun 2002 14:54:17 -0500
Don,
What I do is place a pass rule in my local.rules file. See the
following:
pass icmp <IP-ADDRESS> any -> $HOME_NET any (msg:"ICMP L3retriever Ping
- MANAGEMENT MACHINE - STEVE"; content:
"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
I also put a comment in the msg section explaining why the filter was
added and who added it.
To use this you must have the -o parameter specified when you start
snort. This changes the default rule order.
Steve
On Wed, 2002-06-05 at 14:26, Don wrote:
the following rule in icmp.rules alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;) triggers an alert for me i wish to ignore, from 1 source IP address, I know what causes it on this source, so i wish to ignore this source only, what would be the best way for this? any suggestions Don _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best real-time alerting tool Sheahan, Paul (PCLN-NW) (Jun 04)
- RE: Best real-time alerting tool Don (Jun 04)
- <Possible follow-ups>
- RE: Best real-time alerting tool Tom Sevy (Jun 05)
- RE: Best real-time alerting tool Sheahan, Paul (PCLN-NW) (Jun 05)
- Re: Best real-time alerting tool CJATeck (Jun 05)
- RE: Best real-time alerting tool Ryan Hill (Jun 05)
- icmp i want to ignore Don (Jun 05)
- Re: icmp i want to ignore Steve Scott (Jun 05)
- Re: icmp i want to ignore Erek Adams (Jun 05)
- icmp i want to ignore Don (Jun 05)
- RE: Best real-time alerting tool Fraser Hugh (Jun 06)
- RE: Best real-time alerting tool Fraser Hugh (Jun 07)
- RE: Best real-time alerting tool John Ruff (Jun 09)