single IP icmp alert rule error

[<ids () privisec com>]

OK ... this should be simple... please forgive this lowly novice's ignorance
:)

I created a simple rule in the icmp_info rule folder

(more or less)
alert icmp any any -> $HOME_NET any (msg:"test of ping";)

I then issued a ping from a remote machine against 192.168.1.101 ..
from192.168.1.100.
This worked fine.  The log reported the alert.

I then changed this rule to alert when pings were being issued from
192.168.1.100
I changed the above rule to..

alert icmp 192.168.1.100 any -> $HOME_NET any (msg: "test of ping";)

The result-  'nothing'!  Actually, a different rule further down the rule
chain was triggered.  I presume since mine was not detected it continued to
evaluate the rules in the icmp_info.rules file until it found an alert that
applied.

I also tried  192.168.1.100/32  - no joy.

Anyone have any suggestions?  I'm kinda in a tough spot - this is not the
rule I need... I simply need to be able to write rules and identify that
single ips are to be applied.

Any assistance will greatly be appreciated.

Direct responses are also greatly appreciated...
Citadel85 () aol com






-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users