Snort mailing list archives
RE: Surpress ICMP messages between two internal IP's (pass rule)
From: "Kenneth Trimmmer" <kenneth.trimmer () parkvale com>
Date: Mon, 26 Jul 2004 09:01:59 -0400
Just wondering, after I create a suppress rule, Where do I put it? Does it go into a rule file or does it go somewhere else? Hi Bill, You can use a "suppress" rule on the SIDs that are firing to safely ignore these ICMP messages to/from your DCs without disabling the rule alltogether. http://www.snort.org/docs/snort_manual/node19.html Regards, Chris. dogbert () netnevada net wrote:
Hi All, I doing some more research, it turns out that the offenders are windows domain controllers causing snort to see: ICMP Large ICMP Packet <--- used by windows domain controllers to determine
the
speed of a given link (in this case, the VPN we use). ICMP L3retriever Ping ICMP PING NMAP alerts (logging), what I need to know how to do is to define a pass rule for this type of traffic going to 10.1.1.21 and 10.1.1.23 (which are the IP address it is tripping on) from 172.21.x.x, is there a good example
on
this is done)? (172.21.x.x usually consists of workstation traffic from
one
office, and 10.1.1.x are servers, as a general rule). Does the Snort 2.1 book show good examples of these things, I've been
meaning
to buy it, but don't know if it would apply with the new 2.2 series being worked on? Bill ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Surpress ICMP messages between two internal IP's (pass rule) dogbert (Jul 23)
- Re: Surpress ICMP messages between two internal IP's (pass rule) Chris Keladis (Jul 23)
- RE: Surpress ICMP messages between two internal IP's (pass rule) Kenneth Trimmmer (Jul 26)
- Re: Surpress ICMP messages between two internal IP's (pass rule) Keith W. McCammon (Jul 26)
- RE: Surpress ICMP messages between two internal IP's (pass rule) Kenneth Trimmmer (Jul 26)
- Re: Surpress ICMP messages between two internal IP's (pass rule) Keith W. McCammon (Jul 25)
- Re: Surpress ICMP messages between two internal IP's (pass rule) Chris Keladis (Jul 23)