Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP / drop.

From: Ralf Spenneberg <lists () spenneberg org>
Date: 09 Oct 2003 08:44:07 +0200
Am Don, 2003-10-09 um 08.13 schrieb Rudi Starcevic:

I'm trying to drop all icmp/ping packets on my Debian box in the US.
I'm in Australia.
/sbin/iptables --append INPUT -p icmp -s ! 127.0.0.1/32 -j DROP



This works fine from my side.
I'm unable to get any Ping responses.

However some are still getting through.

Here is a sample Snort log alert.
[**] ICMP PING CyberKit 2.2 Windows [**]
10/08-22:42:48.897689 4.34.170.219 -> 64.235.238.29
ICMP TTL:114 TOS:0x0 ID:10694 IpLen:20 DgmLen:92
Type:8  Code:0  ID:768   Seq:59374  ECHO


Snort uses libpcap. This library sees the packets before they are
filtered. Even if you filter the packet in the input chain tcpdump and
snort still sees the packet!


How can I make it so my machine replies to *no* icmp packets ?

If you want to stop the replies you have to use
iptables -A OUTPUT -p icmp -j DROP

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto                                  http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: