RE: resp in rule

["Bob McDowell" <bmcdowell () coxhealthplans com>]

Logically, I would think that it is possible.  The real question is, would
it do what you have in mind?  I'm not up on the rules language, but there is
a flex-resp action for it:  icmp_host (for destination host unreachable,
anyway).  The rule could be triggered by ICMP requests of the proper type.
The catch is, though, that that same ICMP request would in fact breeze right
by the IDS unmolested.  The end result is most likely two answers for the
same request.  Maybe you could 'patch' this up by blocking the normal
answers via firewall rules.  You could block all ICMP answers from
everything but the IDS...  That might work.  Bear in mind, this is all still
fuzzy logic.  I have tested none of this.

Can anyone else lend a hand here?


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of JR
Sent: Wednesday, January 29, 2003 3:20 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] resp in rule


I would like to create a rule that responds to any ping with a "destination
unreachable" as oppose to the Windows "timed out"
Is this possible?
Thanx
JR



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users