Re: Surpress ICMP messages between two internal IP's (pass rule)

["Keith W. McCammon" <mccammon () gmail com>]

> alerts (logging), what I need to know how to do is to define a pass rule
> for this type of traffic going to 10.1.1.21 and 10.1.1.23 (which are
> the IP address it is tripping on) from 172.21.x.x, is there a good example on
> this is done)?  (172.21.x.x usually consists of workstation traffic from one
> office, and 10.1.1.x are servers, as a general rule).

See this response to your previous post.  Writing pass rules is, in
general, a less efficient method in the long run.  You should be using
suppress.  See this response to one of your previous posts:
http://archives.neohapsis.com/archives/snort/2004-07/0378.html.

If you must write a pass rule, just copy and paste the offending rule,
changing the source and destination accordingly.  Then start snort
with the -o option, so that pass rules are processed first.
 
> Does the Snort 2.1 book show good examples of these things, I've been meaning
> to buy it, but don't know if it would apply with the new 2.2 series being
> worked on?

Either solution is very simple.  Just read the documentation.  The
book is neat and all, but these are one- and two-line config or rule
changes.


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users