Snort mailing list archives

Re: icmp pass rules

From: "Stephen Reese" <rsreese () gmail com>
Date: Fri, 24 Oct 2008 12:58:58 -0400

I think I answered my own question. Since suppression seems to only
filter on src or dst it probably doesn't work for everything because I
could still miss packets depending on what I'm trying to skip unless
it's common to write multiple suppression rules:

suppress gen_id 1, sig_id 404, track by_src, ip 172.31.1.1
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.1.0/24
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.2.0/24
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.3.0/24
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.4.0/24
suppress gen_id 1, sig_id 404, track by_dst, ip 172.31.5.0/24

instead of one pass rule.

pass icmp $3825ROUTER any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3; sid:1000000;)

On Fri, Oct 24, 2008 at 10:33 AM, Stephen Reese <rsreese () gmail com> wrote:

Last one I hope, I'm already using a few pass rules:

#Ignore redirects from the main router to internet gateway
var 3825ROUTER [172.31.1.1/32]
pass icmp $3825ROUTER any -> $HOME_NET any

#Chatty Minolta copiers
var DI200 [172.31.1.223/32,172.31.1.240/32]
pass icmp $DI200 any -> $3825ROUTER any

If I decide to check out suppression is it viable to us it for all of
my 'passing' needs?

On Fri, Oct 24, 2008 at 10:24 AM, Joel Esler <joel.esler () sourcefire com> wrote:

It all depends on the situation. But in this case it's rather easy. Use a
suppression.

--
Joel Esler
Sent from my iPhone

On Oct 24, 2008, at 9:14 AM, "Stephen Reese" <rsreese () gmail com> wrote:

On Fri, Oct 24, 2008 at 9:06 AM, Joel Esler <eslerj () gmail com> wrote:


No, why would say that?  Less of a penalty than a pass rule.


John Gay mentioned using:

You could use the itype and icode options.  I believe an echo reply would
be type 0 code 0.


So I'm assuming can can still use pass rules by adding more information.

The real question is why do pass rules even exist if you could use
suppression instead and not have the performance penalty.

Thanks for everyone's time in advance...


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

icmp pass rules Stephen Reese (Oct 22)
- Re: icmp pass rules Joel Esler (Oct 22)
  - Re: icmp pass rules Stephen Reese (Oct 22)
    - Re: icmp pass rules Stephen Reese (Oct 23)
    - Re: icmp pass rules John Gay (Oct 24)
    - Message not available
    - Re: icmp pass rules Stephen Reese (Oct 24)
    - Re: icmp pass rules Joel Esler (Oct 24)
    - Re: icmp pass rules Stephen Reese (Oct 24)
    - Message not available
    - Re: icmp pass rules Stephen Reese (Oct 24)
    - Re: icmp pass rules Stephen Reese (Oct 24)
    - Message not available
    - Re: icmp pass rules Stephen Reese (Oct 27)
    - Message not available
    - Re: icmp pass rules Stephen Reese (Oct 28)
    - Re: icmp pass rules Frank Knobbe (Oct 24)
    - Re: icmp pass rules Frank Knobbe (Oct 24)
    - Re: icmp pass rules Stephen Reese (Oct 24)
    - Re: icmp pass rules Frank Knobbe (Oct 24)
    - Re: icmp pass rules Stephen Reese (Oct 24)