Snort mailing list archives

Re: icmp i want to ignore

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 5 Jun 2002 22:29:31 -0700 (PDT)

On Wed, 5 Jun 2002, Don wrote:

the following rule in icmp.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping";
content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;
reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;)
triggers an alert for me i wish to ignore, from 1 source IP address, I know
what causes it on this source, so i wish to ignore this source only, what
would be the best way for this?
any suggestions


FAQ'able info folks...  :)

  You have two options.  It depends on how you want to approach it, as to your
choice.

        1)  BPF Filters
        2)  Pass Rule(s)

Now, each of these have good and bad points.  You need to consider which would
work the best for you.

        1)  BPF Filter
              Good:  1)  Drops the packet at the BPF interface.  Saves on
processing power.
                     2)  Speeds up Snort since it 'never sees' those packets.
              Bad:   1)  Poorly constructed filters can 'blind-side' your
whole network.

        2)  Pass Rule
              Good:  1)  Gives you rule based control over the packets.
                     2)  Puts all your changes into 'one place'--snort.conf
and it's rule files.
              Bad:   1)  Reverses the Rule order, can cause some headaches in
tracing down problems.
                     2)  One poorly written pass rule can 'blind' your whole
network.
                     3)  The more specific the pass rule is, the more CPU
snort needs to process it.


  I would post examples of each, but I don't have my Snort Users-Guide and
Stephens book here to double check myself with.   I'll post a pair of examples
of each later tomorrow--Unless someone else beats me to it! ;-)

  Since this has been reviewed here (snort-users) quite a bit, there should be
a lot of info in the archives.  Phil Wood has posted a nice generic BPF
'ignore file' about 3-4 weeks ago (sorry, no URL handy).  There have also been
quite a few postings regarding how to ignore things with pass rules.  Have a
look over the mailing list archives and see if any of that info there make
sense.

        Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Best real-time alerting tool Sheahan, Paul (PCLN-NW) (Jun 04)
- RE: Best real-time alerting tool Don (Jun 04)
- <Possible follow-ups>
- RE: Best real-time alerting tool Tom Sevy (Jun 05)
- RE: Best real-time alerting tool Sheahan, Paul (PCLN-NW) (Jun 05)
- Re: Best real-time alerting tool CJATeck (Jun 05)
- RE: Best real-time alerting tool Ryan Hill (Jun 05)
  - icmp i want to ignore Don (Jun 05)
    - Re: icmp i want to ignore Steve Scott (Jun 05)
    - Re: icmp i want to ignore Erek Adams (Jun 05)
- RE: Best real-time alerting tool Fraser Hugh (Jun 06)
- RE: Best real-time alerting tool Fraser Hugh (Jun 07)
- RE: Best real-time alerting tool John Ruff (Jun 09)