Snort mailing list archives

Re: Tuning snort false positives

From: "prabu" <prabu333 () hotpop com>
Date: Tue, 16 Nov 2004 14:29:45 +0530

In the process of tuning snort I want to disable all the Icmp alerts.

In acid I see many alerts like this:

snort] ICMP Destination Unreachable Communication Administratively Prohibited

I entered to /etc/snort/rules/bad-traffic.rules but didn't saw nothing regarding ICMP !!!




 Simply getinto ur snort configuration file,comment out icmp.rules.Then restart ur snort.



To make it much easier,

open the snort.conf in ur favourite editor

move to the line number :  521



it will be like this

include $RULE_PATH/icmp.rules

then u have change it to:

#include $RULE_PATH/icmp.rules

alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; 
itype:3; classtype:misc-activity; sid:485; rev:4;)

I cant find this and exclude it !!

Where is it?




This rule will be present in the file /urpath/rule/icmp.rules




HTH
--
Senthil Prabu.S

Current thread:

Tuning snort false positives Juan Fernandez (Nov 15)
- Re: Tuning snort false positives prabu (Nov 16)
- <Possible follow-ups>
- Re: Tuning snort false positives Lyndon Tiu (Nov 15)