Snort mailing list archives

RE: ICMP Ping NMAP troubleshooting

From: Erek Adams <erek () snort org>
Date: Tue, 20 May 2003 10:12:19 -0400 (EDT)

On Tue, 20 May 2003, Stephen W. Thomas wrote:

That would be another option. Of course the example uses a source as the
one you want to ignore/filter and in my case I don't want to ignore all
of our servers as the source rather I want to ignore the one server as
the destination. I was thinking about modifying the ICMP Ping NMAP rule
to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"


Actually, you missed something on there....  Check out the BPF filter
section again.  It shows you how to ignore all ICMP ECHO and ICMP ECHO
REQUEST codes from a specific host.  Now if you just wanted to ignore
_all_ hosts, you don't need the 'host <foo>' filter expression.  You
don't even have to know where you want to ignore it from.  :)

There's also something else that isn't clear from that.  You can also make
the pass rules more specific.  For example, the original rule:

  alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
  dsize: 0; itype: 8; reference:arachnids,162;  classtype:attempted-recon;
  sid:469; rev:1;)

Let's massage this a bit:

  pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8;
  sid:1000469; rev:1;)

A pass rule is still a rule.  It can have each and every part that a alert
or log rule does.  By using the qualifiers, you can make the pass rule
more specific.

The one question I have with this is will it get overwrittent when Acid
updates the rules?


ACID does not update rules.  ACID is simply an 'viewing' front end written
in PHP that pulls data from a MySQL or Postgres DB.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- Re: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- Re: ICMP Ping NMAP troubleshooting Simon Gray (May 20)
- <Possible follow-ups>
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
  - RE: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
  - RE: ICMP Ping NMAP troubleshooting [snort-users-admin () lists sourceforge net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List] ['snort' in Pass-Through List] Erek Adams (May 20)