Snort mailing list archives
Re: "icmp-over-panic"
From: Phil Wood <cpw () lanl gov>
Date: Thu, 7 Mar 2002 17:29:19 -0700
Basil, I've seen a number of your queries. And I think the snort community has given you a lot of help. What you need to do now is read the following documents with a mind to understanding what they say and how snort might apply to your situation. 1. README 2. INSTALL 3. USAGE 4. FAQ 5. SnortUsersManual.pdf 6. <somename>.rules (Check out the Description in these files.) Then, you need to ask yourself: "Just what is it do I want to accomplish?". (actually, you should have asked that question before pulling down snort.) On Thu, Mar 07, 2002 at 02:19:02PM -0500, Basil Saragoza wrote:
I just pinged novell.com and received reply from 192.233.80.9 After that I noticed in ACID entry "ICMP echo reply" in snort lan sensor in "misc-acivity" sesction.... Why should I and why should snort care about the legitimate ping echo replies?
Why should you care is a good question to ask yourself. But, please don't think that "snort" care's a bit. It only "cares" because YOU told it to by leaving a rule or preprocessor in YOUR configuration. Which brings us back to: What do you want to accomplish? One of many answers might be: "I want to know if anyone in my network is pinging hosts in the void." In this case, you might want to create a database of insiders that are using ping. Why, because they might be "Gathering Information" about hosts. In otherwords they might be actively mapping hosts in the void. The next thing you know those systems that replied start seeing more nefarious traffic from your inside hosts. Or, you might get a call from a really pissed off network admin that doesn't even speak your language. [which is probably a good thing]. However, I think you actually answered your own question when you said: "Why should I ... care about the legitimate ping echo". You just made a judgement about the ping echo. You said it is legitimate. In that case you should find where the rule might be and "comment it out". For that matter take a look at the beginning of the rules file that contains that alert and see if you even need to include the specific rule file. It's OK to "comment out" a specific rule or for that matter "comment out" the include line for a specific rules file, in your configuration file if the rule or even the set of rules is not relavent to YOUR needs. One further thing you can do is see what snort has to say about the particular rule you are interested in. Find the sid for the rule (it's in the alert "code" in one of the .rules files "sid: num;" ) and do this: http://www.snort.org/snort-db/sid.html?id=num I'm done.
thx. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "icmp-over-panic" Basil Saragoza (Mar 07)
- Re: "icmp-over-panic" James Hoagland (Mar 07)
- Re: "icmp-over-panic" Phil Wood (Mar 07)