Re: I do not know which rule is use

["Larc" <larc () pandora be>]

Just make a pass rule like
pass icmp $your_server any -> $your_router any (itype: 8;)

Regards,
Stefan Dens

------------------------
 VLERICK ROLAND <Roland.Vlerick () sbs be> wrote:
------------------------
Dear snort-users,
> Snort Version 1.7 
>
> In snort.conf :
>
> var BB_NET 10.1.224.81/32
>
> var HOME_NET $hme0_ADDRESS
>
> hme0 = 10.1.224.87
>
> Rule ping-lib :
>
> ping-lib:alert icmp !$BB_NET any -> $HOME_NET any (msg:"IDS152 - PING BSD"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 
> 12 13 14 15 16 17|"; itype: 8; depth: 32;)
>
> Output in alert file :
>
> My server where snort is one sends ping to his default router , how can I ignore this please !!!!!!!!!!!!!
>
> [**] IDS152 - PING BSD [**]
> 08/14-10:14:54.030952 10.1.224.87 -> 10.1.224.10
> ICMP TTL:1 TOS:0x0 ID:16005 IpLen:20 DgmLen:84
> Type:8  Code:0  ID:6734   Seq:0  ECHO
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users