Snort mailing list archives

Tuning snort false positives

From: Juan Fernandez <Juan.Fernandez () deltathree com>
Date: Mon, 15 Nov 2004 18:57:55 +0200

Hi,

 

In the process of tuning snort I want to disable all the Icmp alerts.

 

In acid I see many alerts like this:

 

  [ <http://www.snort.org/snort-db/sid.html?sid=485> snort] ICMP Destination
Unreachable Communication Administratively Prohibited   

 

I entered to /etc/snort/rules/bad-traffic.rules but didn't saw nothing
regarding ICMP !!!

 

Also, in acid the link to snort that shows the rule's detail which is:

 

alert icmp any any -> any any (msg:"ICMP Destination Unreachable
Communication Administratively Prohibited"; icode:13; itype:3;
classtype:misc-activity; sid:485; rev:4;) 

 

I cant find this and exclude it !!

 

Where is it?

 

Thanks,

 

juan

Current thread:

Tuning snort false positives Juan Fernandez (Nov 15)
- Re: Tuning snort false positives prabu (Nov 16)
- <Possible follow-ups>
- Re: Tuning snort false positives Lyndon Tiu (Nov 15)