Re: [Snort-users] ICMP / drop.

Rudi Starcevic wrote:
> Ralf,
>
> Thanks - I see and it's clear now.

But please note that TCP/IP *needs* ICMP on order to work properly.
Filtering _all_ ICMP packets may cause severe problems with your
connections. Your server may become completely unreacheable for
some hosts.

I guess you've read this quite paranoid paper ;) :

http://www.sys-security.com/archive/...nning_v3.0.pdf

Don't worry.

There are other possibilities to hide ICMP traffic from Snort. One is to
use special filters which are being applied directly in the kernel. The
usage is quite simple: Simply add the following keywords to your Snort
starting command [0]:

not icmp

like this

snort -c snort.conf -i eth0 not icmp

and all icmp packets will be completely blended out at the libpcap
(well, actually at the kernel) level for Snort.

There is also one other possibility to avoid alerts on the specific
packets: Creating so called pass rules. See the Snort manual for more
info on this (and don't forget the -o switch). The alerts you've got
have their own thread(s) here :-\ .

Also see the FAQ ant the list archives, where this problems have already
been discussed *very* often. ;)

Best Regards,
Edin

[0] See the tcpdump manpage for more info on this.


>
> Cheers
> Rudi.
>
> Ralf Spenneberg wrote:
>
[...]
>>
>> If you want to stop the replies you have to use
>> iptables -A OUTPUT -p icmp -j DROP
>>
>> Cheers,
>>
>> Ralf

--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users