Someone correct me if I am wrong, but, snort as with other traffic shapers
and dumpers take actual traffic from the network card prior to the
firewall/kernel getting it. The rule is in place and as long as you see
numbers in the first two columns in the following command:
ipfw -a l [INSERT_YOUR_FW_RULE_FOR_ICMP_BLOCKING]
##### 0 2300 deny icmp from any to me via ed0
then your rule should be fine. If it's zero then the rules above it are
stopping any activity that this rule might have on incoming packets.
On Mon, 25 Aug 2003, K Anderson wrote:
> Howdy folks,
> I've been getting bombarded with ICMP (Cyberkit 2.2 attack) stuff and
> created a rule in ipfw to firewall it. The rule is working, I am getting
> measured stats but the problem is snort is seeing them and reporting
> them. I thought that by firewalling ICMP snort would stop noticing them.
> If I'm wrong in my asumption I would certainly like to hear it.
> Here is the fierwall rule I applied.
> deny log icmp from any to me via ed0
> There are some TCP and IP rules above that but I don't see that causing
> anything to skip over the ICMP rule. And snort is seeing them as I did
> a quick search through ACID.
> Thanks in advance.
> [EMAIL PROTECTED] mailing list
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"