Snort mailing list archives
Re: Stopping particular rules
From: Joe McAlerney <joey () SiliconDefense com>
Date: Mon, 25 Jun 2001 10:20:38 -0700
Hello Bennett, I'm not sure why you are still seeing them when the includes are commented out. Perhaps there are some hidden in other .rules files like Kiira said. As far as your pass rule, you must use -o to change the rule ordering, or the "alert" icmp rules will take precedence. Happy Snorting, -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ Bennett Samowich wrote:
Greetings, I am getting an exorbitant amount of ICMP alerts and want to temporarily turn them off. I have tried commenting our the include for the ICMP rules from snort.conf as well as adding a pass line to local.rules. Neither of these seem to stop the influx of ICMP alerts. Any ideas on what I am doing wrong? My local.rules has: # Pass any ICMP traffic temporarily pass icmp any any -> any any (msg: "temporarily disabled";) My snort.conf has: ...snip... # Pass any local ICMP traffic # Be sure you have created a local.rules file # for your includes/ignores, etc. #=============================================== include local.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include backdoor.rules include dos.rules include ddos.rules include dns.rules include netbios.rules include sql.rules include web-cgi.rules include web-coldfusion.rules include web-frontpage.rules include web-misc.rules include web-iis.rules # include icmp.rules include misc.rules include policy.rules include info.rules include virus.rules # Include the WhiteHats Vision rules here # include vision.rules ...snip... - Bennett _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stopping particular rules Bennett Samowich (Jun 25)
- Re: Stopping particular rules Joe McAlerney (Jun 25)
- Re: Stopping particular rules GeEk (Jun 25)
- <Possible follow-ups>
- RE: Stopping particular rules Kiira Triea (Jun 25)
- Re: Stopping particular rules Joe McAlerney (Jun 25)