LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Snort: passing icmp from a since host (https://www.linuxquestions.org/questions/linux-security-4/snort-passing-icmp-from-a-since-host-291919/)

psychobyte 02-18-2005 12:17 PM

Snort: passing icmp from a single host
 
Hi,

I'm using snort-2.1.2 on RH9.0. I have a ping server that scan it's own /24 network every 15 minutes. Snort picks this up and floods the alert logs. I set up a rule in local.rules to ignore icmp packets from the ping server but, it seems either my rule isn't working or another rule is catching the packet before my custom rule.

here is my rule

pass icmp 192.168.1.1 any -> 192.168.1.0/24 any

I even tried this for the hell of it....

pass icmp 192.168.1.1/32 any -> 192.168.1.0/24 any

Since those didn't work I added the same rules to the beginning of icmp-info.rules and icmp.rules

It's still not working.

Can anyone help me out here?

One other question... When I add a rule, do I have to restart snort?

Thanks,

Capt_Caveman 02-20-2005 11:17 AM

If you are going to use a pass rule, then you need to change the order that snort applies rules, as the default is alert, pass, log. Use the -o option to change it. Alternatively, you can create a simple bpf rule and leave the rule order alone. Also you will need to restart snort to re-read the config or rules.


All times are GMT -5. The time now is 04:29 AM.