Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-users] Speedera

From: "Paul Murphy" <paul.murphy () crestco co uk>
Date: Tue, 12 Jun 2001 09:47:31 +0100

Thanks John.  My mailserver is behind a firewall that blocks ICMP.  I suppose my question was twofold:  Why is my 
mailserver managing to emit icmp at all, and when it does, why do they have the speedera signature?

So I guess this is ot really for this list, as I can stop Snort triggering because of this, but I still don't know why 
it is happening in the first place.

Any offers?

Paul.




John Sage <jsage () finchhaven com> 6/11/2001 06:58:26 pm >>>

Paul:

I had to work on ping-lib to keep it from worrying about all sorts of stuff.

You may want to do something like this:

alert icmp !$HOME_NET any -> $HOME_NET any (msg:"ICMP Echo Request"; 
itype:8;)

If I remember correctly, the original syntax was "any any <> $HOME_NET 
any" which alerts for stuff going in or out...

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/ 
mailto:jsage () finchhaven com 
"The web is so, like, five minutes ago..."


Paul Murphy wrote:


Hi all,

Does anyone have any ideas why my Snort is picking up Speedera ICMPs *outbound* from my mail server?

They are echo requests btw.

Thanks,

Paul.





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------------------------------------------------------------------------------------------------------------------
CRESTCo Ltd.             The views expressed above are not necessarily those
33 Cannon Street.        held by CRESTCo Limited.
London  EC4M 5SB (UK)      
+44 (020) 7849 0000     http://www.crestco.co.uk 
---------------------------------------------------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: