Snort mailing list archives
Re: "icmp-over-panic"
From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 7 Mar 2002 16:15:08 -0800
Hello Basil, At 2:19 PM -0500 3/7/02, Basil Saragoza wrote:
I just pinged novell.com and received reply from 192.233.80.9 After that I noticed in ACID entry "ICMP echo reply" in snort lan sensor in "misc-acivity" sesction.... Why should I and why should snort care about the legitimate ping echo replies?
Snort doesn't care. It just thought you cared since included the rule that alerts on a ping reply. When you first set up a sensor, you need to go through your snort configuration and include/exclude the rules corresponding to the alerts that you want to get.
You might also be able to make use of the priority information included in the alert. I'm not sure about ACID, but I know in SnortSnarf you can even choose to exclude alerts with not enough priority from presentation.
Welcome to the world of Snort. -- Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "icmp-over-panic" Basil Saragoza (Mar 07)
- Re: "icmp-over-panic" James Hoagland (Mar 07)
- Re: "icmp-over-panic" Phil Wood (Mar 07)