Snort mailing list archives
RE: ICMP Ping NMAP troubleshooting
From: "Stephen W. Thomas" <swthomas () techsoft com>
Date: Tue, 20 May 2003 09:21:43 -0500
"Let's massage this a bit: pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8; sid:1000469; rev:1;)" Doesn't this in effect ignore all ICMP Ping from anyone to anyone on my network? I would think I still want to be aware of ICMP Pings to the other hosts on my net, just not the one I'm ware of. Would this work? pass icmp $EXTERNAL_NET any -> $HOME_NET !foo (dsize: 0; itype: 8; sid:1000469; rev:1;) Where "foo" is the IP address for my server that's getting the known pings. I would think this woudl still alert on ICMP Pings to other hosts on my network just not to foo. Thanks, Steve -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Tue 5/20/2003 9:12 AM To: Stephen W. Thomas Cc: Erek Adams; snort-users () lists sourceforge net Subject: RE: [Snort-users] ICMP Ping NMAP troubleshooting On Tue, 20 May 2003, Stephen W. Thomas wrote: > That would be another option. Of course the example uses a source as the > one you want to ignore/filter and in my case I don't want to ignore all > of our servers as the source rather I want to ignore the one server as > the destination. I was thinking about modifying the ICMP Ping NMAP rule > to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo" Actually, you missed something on there.... Check out the BPF filter section again. It shows you how to ignore all ICMP ECHO and ICMP ECHO REQUEST codes from a specific host. Now if you just wanted to ignore _all_ hosts, you don't need the 'host <foo>' filter expression. You don't even have to know where you want to ignore it from. :) There's also something else that isn't clear from that. You can also make the pass rules more specific. For example, the original rule: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;) Let's massage this a bit: pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8; sid:1000469; rev:1;) A pass rule is still a rule. It can have each and every part that a alert or log rule does. By using the qualifiers, you can make the pass rule more specific. > The one question I have with this is will it get overwrittent when Acid > updates the rules? ACID does not update rules. ACID is simply an 'viewing' front end written in PHP that pulls data from a MySQL or Postgres DB. Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson N�HY隊X���'���u��n7��+h��~V����� .�/���Z��(u�h��ʋ�j�e�ƭ��ߊاj��jب��]j֛jǢ������v��v�� ����9��rԭ���� Z��>� ��,J����ކ�i��0�y�l��ޝ����q��������ǫ�f��)��+-Jz+����b��,���y�+��j-��b�DK��!jx�ǫ��b�{(��칻�&ކ�i�����l���q����z����l�X��)ߣ�'��n���Jz+����b�֫r�zm��������W�r����b��醝���
Current thread:
- ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- Re: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- Re: ICMP Ping NMAP troubleshooting Simon Gray (May 20)
- <Possible follow-ups>
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)