RE: ICMP Ping NMAP troubleshooting

["Stephen W. Thomas" <swthomas () techsoft com>]

"Let's massage this a bit:

  pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8;
  sid:1000469; rev:1;)"
 
Doesn't this in effect ignore all ICMP Ping from anyone to anyone on my network? I would think I still want to be aware 
of ICMP Pings to the other hosts on my net, just  not the one I'm ware of. Would this work?
 
  pass icmp $EXTERNAL_NET any -> $HOME_NET !foo (dsize: 0; itype: 8;
  sid:1000469; rev:1;)

 

Where "foo" is the IP address for my server that's getting the known pings. I would think this woudl still alert on 
ICMP Pings to other hosts on my network just not to foo.

Thanks,

Steve



        -----Original Message----- 
        From: Erek Adams [mailto:erek () snort org] 
        Sent: Tue 5/20/2003 9:12 AM 
        To: Stephen W. Thomas 
        Cc: Erek Adams; snort-users () lists sourceforge net 
        Subject: RE: [Snort-users] ICMP Ping NMAP troubleshooting
        
        

        On Tue, 20 May 2003, Stephen W. Thomas wrote:
        
        > That would be another option. Of course the example uses a source as the
        > one you want to ignore/filter and in my case I don't want to ignore all
        > of our servers as the source rather I want to ignore the one server as
        > the destination. I was thinking about modifying the ICMP Ping NMAP rule
        > to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"
        
        Actually, you missed something on there....  Check out the BPF filter
        section again.  It shows you how to ignore all ICMP ECHO and ICMP ECHO
        REQUEST codes from a specific host.  Now if you just wanted to ignore
        _all_ hosts, you don't need the 'host <foo>' filter expression.  You
        don't even have to know where you want to ignore it from.  :)
        
        There's also something else that isn't clear from that.  You can also make
        the pass rules more specific.  For example, the original rule:
        
          alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
          dsize: 0; itype: 8; reference:arachnids,162;  classtype:attempted-recon;
          sid:469; rev:1;)
        
        Let's massage this a bit:
        
          pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8;
          sid:1000469; rev:1;)
        
        A pass rule is still a rule.  It can have each and every part that a alert
        or log rule does.  By using the qualifiers, you can make the pass rule
        more specific.
        
        > The one question I have with this is will it get overwrittent when Acid
        > updates the rules?
        
        ACID does not update rules.  ACID is simply an 'viewing' front end written
        in PHP that pulls data from a MySQL or Postgres DB.
        
        Hope that helps!
        
        -----
        Erek Adams
        
           "When things get weird, the weird turn pro."   H.S. Thompson
        

N�HY޵隊X���'���u��n7��+h��~V�����
.�/���Z��(u�h��ʋ�j�e�ƭ��ߊاj��jب��]j֛jǢ������v��v��
����9��rԭ����
Z��>� 
��,J����ކ�i��0†�y�l��ޝ����q��������ǫ�f��)��+-Jz+����b��,���y�+��޴j-��b�DK��!jx�ǫ��b�{(��칻�&ކ�i�����l���q����z����l�X��)ߣ�'��n���Jz+����b�֫r�zm��������W�r����b��醝���