Snort mailing list archives
RE: ICMP rule not behaving as expected
From: Neil Dickey <neil () geol niu edu>
Date: Mon, 7 Apr 2003 13:17:58 -0500 (CDT)
"Tobias Rice" <rice () up edu> wrote in response to me:
Hmmm. I'll take a stab... Try this: pass icmp [my.home.net.0/24,offending.box.external.net] any -> $HOME_NET any (msg:"ICMP Destination \ Unreachable (Undefined Code!)"; itype: 3; sid:407; classtype:misc- \ activity; rev:4;)
Thanks much, Tobias! That did it. I used this syntax ... pass icmp $ICMP_AVOID any -> $HOME_NET any ( .... ) ... with ICMP_AVOID set to ... var ICMP_AVOID [my.home.net.0/24,offending.box.external.net] ... in snort.conf and it works fine. I still don't understand why the other method didn't work, though; it seems to me it should have. The "NOT" operator ( ! ) works fine for ... var HOME_NET my.home.net.0/24 var EXTERNAL_NET !$HOME_NET ... where HOME_NET contains a single value, but it doesn't seem to work if there is more than one value assigned. Thanks again, Tobias. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP rule not behaving as expected Neil Dickey (Apr 07)
- RE: ICMP rule not behaving as expected Tobias Rice (Apr 07)
- <Possible follow-ups>
- RE: ICMP rule not behaving as expected Neil Dickey (Apr 07)