Re: [Snort-users] ICMP / drop.

permalink · #1 (**permalink**) 10-09-2003

Am Don, 2003-10-09 um 08.13 schrieb Rudi Starcevic:
> I'm trying to drop all icmp/ping packets on my Debian box in the US.
> I'm in Australia.
> /sbin/iptables --append INPUT -p icmp -s ! 127.0.0.1/32 -j DROP

> This works fine from my side.
> I'm unable to get any Ping responses.
>=20
> However some are still getting through.
>=20
> Here is a sample Snort log alert.
> [**] ICMP PING CyberKit 2.2 Windows [**]
> 10/08-22:42:48.897689 4.34.170.219 -> 64.235.238.29
> ICMP TTL:114 TOS:0x0 ID:10694 IpLen:20 DgmLen:92
> Type:8 Code:0 ID:768 Seq:59374 ECHO
>=20
Snort uses libpcap. This library sees the packets before they are
filtered. Even if you filter the packet in the input chain tcpdump and
snort still sees the packet!

> How can I make it so my machine replies to *no* icmp packets ?
If you want to stop the replies you have to use
iptables -A OUTPUT -p icmp -j DROP

Cheers,

Ralf
--=20
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection f=FCr Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode