Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Why is this rule still being tripped?

From: Orion Poplawski <orion () cora nwra com>
Date: Fri, 09 Jan 2004 09:27:50 -0700
Running snort 2.1.0.

I've modified the icmp-info.rules to be of the following form:
alert icmp !$TRUSTED_NET any -> $HOME_NET any (msg:"ICMP PING"; itype: 8; icode: 0; sid:384; classtype:misc-activity; rev:4;) 

and have the following NET definitions in snort.conf:
var TRUSTED_NET [65.171.192.0/24,192.168.0.0/24,65.104.69.192/27,207.202.149.0/24,12.105.80.64/27,69.9.9.160/27] 
var HOME_NET [65.171.192.0/24,192.168.0.0/24]
but I'm still seeing the ICMP PING (and other) alerts showing up in my ACID console. 

from the alert log:

[**] [1:384:4] ICMP PING [**]
[Classification: Misc activity] [Priority: 3]
01/08-16:44:11.055633 65.104.69.201 -> 65.171.192.100
ICMP TTL:253 TOS:0x0 ID:65224 IpLen:20 DgmLen:1500 DF
Type:8  Code:0  ID:0   Seq:0  ECHO

--
Orion Poplawski
System Administrator                   303-415-9701 x222
Colorado Research Associates/NWRA      FAX: 303-415-9702
3380 Mitchell Lane, Boulder CO 80301   http://www.co-ra.com



-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: