Snort mailing list archives
RE: Stopping particular rules
From: Kiira Triea <kiira-t () mail bsasinc org>
Date: Mon, 25 Jun 2001 10:50:36 -0400 (EDT)
If you do:
grep ICMP /etc/snort/*.rules | awk '{print $1 }' | sort | uniq
you find all that have a rule for ICMP packets, not just those in
icmp.rules. Some actually are more important but you can '#' out the
ones that are clogging up your snort logs like the regular old ping
rules in info.rules.
HTH,
Kiira
Greetings, I am getting an exorbitant amount of ICMP alerts and want to temporarily turn them off. I have tried commenting our the include for the ICMP rules from snort.conf as well as adding a pass line to local.rules. Neither of these seem to stop the influx of ICMP alerts. Any ideas on what I am doing wrong? My local.rules has: # Pass any ICMP traffic temporarily pass icmp any any -> any any (msg: "temporarily disabled";) My snort.conf has: ...snip...
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stopping particular rules Bennett Samowich (Jun 25)
- Re: Stopping particular rules Joe McAlerney (Jun 25)
- Re: Stopping particular rules GeEk (Jun 25)
- <Possible follow-ups>
- RE: Stopping particular rules Kiira Triea (Jun 25)
- Re: Stopping particular rules Joe McAlerney (Jun 25)