Snort mailing list archives
RE: ICMP Ping NMAP troubleshooting [snort-users-admin () lists sourceforge net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List] ['snort' in Pass-Through List]
From: "Erek Adams" <erek () snort org>
Date: Tue, 20 May 2003 11:25:29 -0400 (EDT)
On Tue, 20 May 2003, Stephen W. Thomas wrote:
"Let's massage this a bit: pass icmp $EXTERNAL_NET any -> $HOME_NET any (dsize: 0; itype: 8; sid:1000469; rev:1;)"Doesn't this in effect ignore all ICMP Ping from anyone to anyone on my network?
Not exactly. It ignores ICMP type 8 (pings) with a dsize of 0. NMAP pings don't have a payload, hence the dsize of 0. Other pings have a payload of some sort, or of some pattern.
I would think I still want to be aware of ICMP Pings to the other hosts on my net, just not the one I'm ware of. Would this work? pass icmp $EXTERNAL_NET any -> $HOME_NET !foo (dsize: 0; itype: 8; sid:1000469; rev:1;) Where "foo" is the IP address for my server that's getting the known pings. I would think this woudl still alert on ICMP Pings to other hosts on my network just not to foo.
Excellent! Now you're starting to think of ways to make it a 'tighter
rule'! Woo-Hoo! :) Sadly, the rule you have wouldn't work quite as you
expect. The !foo would translate to 'not port foo' instead of 'not host
foo'.... And you wouldn't want it as 'not host foo' since that would pass
all of that traffic to all hosts _except_ foo.
If you wanted it a bit tighter:
pass icmp $EXTERNAL_NET any -> $SENSOR_IP any (dsize: 0; itype 8;
sid: 1000469; rev:1);
Or maybe even better, since you only are dealing with these on your
internal network:
pass icmp $HOME_NET any -> $SENSOR_IP any (dsize: 0; itype 8;
sid: 1000469; rev:1);
Or if you really want to get fancy:
var NOISY_SERVERS [10.10.10.10/32, 10.10.10.19/32, 192.168.1.0/24]
pass icmp $NOISY_SERVERS any -> $SENSOR_IP any (dsize: 0; itype 8;
sid: 1000469; rev:1);
Check out the second chapter [0] of the Snort Users Manual [1], as it
covers rule quite a bit.
Hope that helps!
-----
Erek Adams
"When things get weird, the weird turn pro." H.S. Thompson
[0] http://www.snort.org/docs/writing_rules/chap2.html#tth_chAp2
[1] http://www.snort.org/docs/writing_rules/
-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- Re: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- Re: ICMP Ping NMAP troubleshooting Simon Gray (May 20)
- <Possible follow-ups>
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting [snort-users-admin () lists sourceforge net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List] ['snort' in Pass-Through List] Erek Adams (May 20)