LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-18-2005, 12:17 PM   #1
psychobyte
Member
 
Registered: Sep 2003
Location: Central Coast, California
Posts: 179

Rep: Reputation: 30
Snort: passing icmp from a single host


Hi,

I'm using snort-2.1.2 on RH9.0. I have a ping server that scan it's own /24 network every 15 minutes. Snort picks this up and floods the alert logs. I set up a rule in local.rules to ignore icmp packets from the ping server but, it seems either my rule isn't working or another rule is catching the packet before my custom rule.

here is my rule

pass icmp 192.168.1.1 any -> 192.168.1.0/24 any

I even tried this for the hell of it....

pass icmp 192.168.1.1/32 any -> 192.168.1.0/24 any

Since those didn't work I added the same rules to the beginning of icmp-info.rules and icmp.rules

It's still not working.

Can anyone help me out here?

One other question... When I add a rule, do I have to restart snort?

Thanks,

Last edited by psychobyte; 02-18-2005 at 12:19 PM.
 
Old 02-20-2005, 11:17 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you are going to use a pass rule, then you need to change the order that snort applies rules, as the default is alert, pass, log. Use the -o option to change it. Alternatively, you can create a simple bpf rule and leave the rule order alone. Also you will need to restart snort to re-read the config or rules.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
icmp 68: host anos unreachable - admin prohibited keraj37 Linux - Networking 6 09-22-2014 04:15 PM
why my snort show icmp 100% only headmaster Linux - Security 3 12-10-2005 11:13 AM
Snort alerts of the ICMP relationship with smtp connection? hacinn Linux - Networking 1 06-21-2005 07:10 AM
ICMP traffic in Snort+BASE perfect_circle Linux - Security 2 04-16-2005 06:16 PM
icmp - host adminstratively prohibited? richyankee2005 Linux - Networking 1 02-24-2005 09:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration