Snort mailing list archives
Re: Why is this rule still being tripped?
From: Martin Roesch <roesch () sourcefire com>
Date: Sat, 10 Jan 2004 22:14:06 -0500
Have you tried making a negated TRUSTED_NET set and using that instead of the global negation? I need to look at the logic, but I think that none of the IPs in TRUSTED_NET can match for the rule to fail.
Have you tried it with just the one net you want to ignore to narrow it down to the IP list?
-Marty
On Jan 9, 2004, at 11:27 AM, Orion Poplawski wrote:
Running snort 2.1.0. I've modified the icmp-info.rules to be of the following form:alert icmp !$TRUSTED_NET any -> $HOME_NET any (msg:"ICMP PING"; itype: 8; icode: 0; sid:384; classtype:misc-activity; rev:4;)and have the following NET definitions in snort.conf:var TRUSTED_NET [65.171.192.0/24,192.168.0.0/24,65.104.69.192/27,207.202.149.0/ 24,12.105.80.64/27,69.9.9.160/27]var HOME_NET [65.171.192.0/24,192.168.0.0/24]but I'm still seeing the ICMP PING (and other) alerts showing up in my ACID console.from the alert log: [**] [1:384:4] ICMP PING [**] [Classification: Misc activity] [Priority: 3] 01/08-16:44:11.055633 65.104.69.201 -> 65.171.192.100 ICMP TTL:253 TOS:0x0 ID:65224 IpLen:20 DgmLen:1500 DF Type:8 Code:0 ID:0 Seq:0 ECHO -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why is this rule still being tripped? Orion Poplawski (Jan 09)
- Re: Why is this rule still being tripped? Martin Roesch (Jan 10)
- Re: Why is this rule still being tripped? Orion Poplawski (Jan 13)
- Re: Why is this rule still being tripped? Martin Roesch (Jan 17)
- Re: Why is this rule still being tripped? Orion Poplawski (Jan 19)
- Re: Why is this rule still being tripped? Orion Poplawski (Jan 13)
- Re: Why is this rule still being tripped? Martin Roesch (Jan 10)