![snort logo](/images/snort-logo.png)
Snort mailing list archives
RE: ICMP Ping NMAP troubleshooting
From: Erek Adams <erek () snort org>
Date: Tue, 20 May 2003 10:12:19 -0400 (EDT)
On Tue, 20 May 2003, Stephen W. Thomas wrote:
That would be another option. Of course the example uses a source as the one you want to ignore/filter and in my case I don't want to ignore all of our servers as the source rather I want to ignore the one server as the destination. I was thinking about modifying the ICMP Ping NMAP rule to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"
Actually, you missed something on there.... Check out the BPF filter section again. It shows you how to ignore all ICMP ECHO and ICMP ECHO REQUEST codes from a specific host. Now if you just wanted to ignore _all_ hosts, you don't need the 'host <foo>' filter expression. You don't even have to know where you want to ignore it from. :) There's also something else that isn't clear from that. You can also make the pass rules more specific. For example, the original rule: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;) Let's massage this a bit: pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8; sid:1000469; rev:1;) A pass rule is still a rule. It can have each and every part that a alert or log rule does. By using the qualifiers, you can make the pass rule more specific.
The one question I have with this is will it get overwrittent when Acid updates the rules?
ACID does not update rules. ACID is simply an 'viewing' front end written in PHP that pulls data from a MySQL or Postgres DB. Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- Re: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- Re: ICMP Ping NMAP troubleshooting Simon Gray (May 20)
- <Possible follow-ups>
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)