Re: "icmp-over-panic"

[James Hoagland <hoagland () SiliconDefense com>]

Hello Basil,

At 2:19 PM -0500 3/7/02, Basil Saragoza wrote:
> I just pinged novell.com and received reply from 192.233.80.9
> After that I noticed in ACID entry "ICMP echo reply"
> in snort lan sensor in "misc-acivity" sesction....
> Why should I and why should snort care about the legitimate ping echo
> replies?

Snort doesn't care.  It just thought you cared since included the 
rule that alerts on a ping reply.  When you first set up a sensor, 
you need to go through your snort configuration and include/exclude 
the rules corresponding to the alerts that you want to get.

You might also be able to make use of the priority information 
included in the alert.  I'm not sure about ACID, but I know in 
SnortSnarf you can even choose to exclude alerts with not enough 
priority from presentation.

Welcome to the world of Snort.

-- Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users