Snort mailing list archives
RE: resp in rule
From: "Bob McDowell" <bmcdowell () coxhealthplans com>
Date: Thu, 30 Jan 2003 13:29:47 -0600
Logically, I would think that it is possible. The real question is, would it do what you have in mind? I'm not up on the rules language, but there is a flex-resp action for it: icmp_host (for destination host unreachable, anyway). The rule could be triggered by ICMP requests of the proper type. The catch is, though, that that same ICMP request would in fact breeze right by the IDS unmolested. The end result is most likely two answers for the same request. Maybe you could 'patch' this up by blocking the normal answers via firewall rules. You could block all ICMP answers from everything but the IDS... That might work. Bear in mind, this is all still fuzzy logic. I have tested none of this. Can anyone else lend a hand here? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of JR Sent: Wednesday, January 29, 2003 3:20 PM To: snort-users () lists sourceforge net Subject: [Snort-users] resp in rule I would like to create a rule that responds to any ping with a "destination unreachable" as oppose to the Windows "timed out" Is this possible? Thanx JR ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- resp in rule JR (Jan 30)
- <Possible follow-ups>
- RE: resp in rule Gonzalez, Albert (Jan 30)
- RE: resp in rule Slighter, Tim (Jan 30)
- RE: resp in rule Bob McDowell (Jan 30)