RE: ICMP rule not behaving as expected

[Neil Dickey <neil () geol niu edu>]

"Tobias Rice" <rice () up edu> wrote in response to me:

> Hmmm. I'll take a stab...
> Try this:
>
> pass icmp [my.home.net.0/24,offending.box.external.net] any -> $HOME_NET any (msg:"ICMP Destination \
>    Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc- \
>    activity; rev:4;)

Thanks much, Tobias!  That did it.  I used this syntax ...

  pass icmp $ICMP_AVOID any -> $HOME_NET any ( .... )

... with ICMP_AVOID set to ...

  var ICMP_AVOID [my.home.net.0/24,offending.box.external.net]

... in snort.conf and it works fine.

I still don't understand why the other method didn't work,
though; it seems to me it should have.  The "NOT" operator
( ! ) works fine for ...

  var HOME_NET my.home.net.0/24
  var EXTERNAL_NET !$HOME_NET

... where HOME_NET contains a single value, but it doesn't
seem to work if there is more than one value assigned.

Thanks again, Tobias.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users