|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bennett Samowich (brs
ben-tech.com)Date: Mon Jun 25 2001 - 09:58:07 CDT
Greetings,
I am getting an exorbitant amount of ICMP alerts and want to temporarily
turn them off. I have tried commenting our the include for the ICMP rules
from snort.conf as well as adding a pass line to local.rules. Neither of
these seem to stop the influx of ICMP alerts. Any ideas on what I am doing
wrong?
My local.rules has:
# Pass any ICMP traffic temporarily
pass icmp any any -> any any (msg: "temporarily disabled";)
My snort.conf has:
...snip...
# Pass any local ICMP traffic
# Be sure you have created a local.rules file
# for your includes/ignores, etc.
#===============================================
include local.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include sql.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-misc.rules
include web-iis.rules
# include icmp.rules
include misc.rules
include policy.rules
include info.rules
include virus.rules
# Include the WhiteHats Vision rules here
# include vision.rules
...snip...
- Bennett
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]