Snort mailing list archives

Re: ICMP / drop.

From: Rudi Starcevic <rudi () oasis net au>
Date: Thu, 09 Oct 2003 19:12:21 +1000

Hi,

But please note that TCP/IP *needs* ICMP on order to work properly.


Thanks - sorry such novice questions.

I am working through a Snort book right now - guess I should get a TCPone next.

I've had Snort up and running only for a day or so and noticed an IPthat first pingedme then followed up with loads of request on all sorts of ports whichtriggered dozens

of alerts.

So I had the silly idea to drop icmp packets and be anonymous.
As I now know you'll also end up lonely if you drop icmp packets :-)

So it not really possible be anonymous. The machine just has to dealwith therequests asked of it. The first step is to monitor those requests withsomething like Snort.

I guess in this case I should look at SnortSam for someone who triggersmultiple alerts


Thanks
Rudi.


Filtering _all_ ICMP packets may cause severe problems with your
connections. Your server may become completely unreacheable for
some hosts.

I guess you've read this quite paranoid paper ;) :

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf

Don't worry.

There are other possibilities to hide ICMP traffic from Snort. One is to
use special filters which are being applied directly in the kernel. The
usage is quite simple: Simply add the following keywords to your Snort
starting command [0]:

not icmp

like this

snort -c snort.conf -i eth0 not icmp

and all icmp packets will be completely blended out at the libpcap
(well, actually at the kernel) level for Snort.

There is also one other possibility to avoid alerts on the specific
packets: Creating so called pass rules. See the Snort manual for more
info on this (and don't forget the -o switch). The alerts you've got
have their own thread(s) here :-\ .

Also see the FAQ ant the list archives, where this problems have already
been discussed *very* often. ;)

Best Regards,
Edin

[0] See the tcpdump manpage for more info on this.

Cheers
Rudi.

Ralf Spenneberg wrote:

[...]

If you want to stop the replies you have to use
iptables -A OUTPUT -p icmp -j DROP

Cheers,

Ralf





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP / drop. Rudi Starcevic (Oct 09)
- Re: ICMP / drop. Ralf Spenneberg (Oct 09)
  - Re: ICMP / drop. Rudi Starcevic (Oct 09)
    - Re: ICMP / drop. Edin Dizdarevic (Oct 09)
    - Re: ICMP / drop. Rudi Starcevic (Oct 09)
    - Re: ICMP / drop. Edin Dizdarevic (Oct 09)