Snort mailing list archives

RE: ICMP Ping NMAP troubleshooting

From: "Stephen W. Thomas" <swthomas () techsoft com>
Date: Tue, 20 May 2003 08:38:44 -0500

That would be another option. Of course the example uses a source as the one you want to ignore/filter and in my case I 
don't want to ignore all of our servers as the source rather I want to ignore the one server as the destination. I was 
thinking about modifying the ICMP Ping NMAP rule to read something like "alert xxxx $EXTERNAL_NET any -> $HOME_NET !foo"

The one question I have with this is will it get overwrittent when Acid updates the rules?

Thanks,
Steve

        -----Original Message----- 
        From: Erek Adams [mailto:erek () snort org] 
        Sent: Tue 5/20/2003 8:31 AM 
        To: Stephen W. Thomas 
        Cc: snort-users () lists sourceforge net 
        Subject: Re: [Snort-users] ICMP Ping NMAP troubleshooting

        On Tue, 20 May 2003, Stephen W. Thomas wrote:

        [...snip...]

        > A. Ignore the thousands of hits it gets
        > B. Disable that one rule for the one destination.

        And two other ways:

                http://www.theadamsfamily.net/~erek/snort/ignore.txt

        Cheers!

        -----
        Erek Adams

           "When things get weird, the weird turn pro."   H.S. Thompson

Current thread:

ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- Re: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- Re: ICMP Ping NMAP troubleshooting Simon Gray (May 20)
- <Possible follow-ups>
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
  - RE: ICMP Ping NMAP troubleshooting Erek Adams (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
- RE: ICMP Ping NMAP troubleshooting Stephen W. Thomas (May 20)
  - RE: ICMP Ping NMAP troubleshooting [snort-users-admin () lists sourceforge net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List] ['snort' in Pass-Through List] Erek Adams (May 20)