|
I found what I (probably mistakenly) thought was an attack based
on the following line in my daily SNORT report:
59 135.181.34.105 10.0.0.1 ICMP Destination
Unreachable Communication Administratively Prohibited {ICMP}
I have learned the hard way not to accept chatGPT recomendations
about changing config files, so here is a SHORT version of a VERY
LONG session with chatGPT and I would like to know if the final
suggestion seems correct before I try it:
After several clearly incorrect suggestions, chatGPT suggested
that this was not an attack but evidence that "The ICMP is a
response, not an attack" and that to prove this I could add raw
data to the logs (which SNORT does not do by default on Kubuntu).
The final suggestion was to add the following to snort.conf:
# Minimal PCAP logging for ICMP diagnostics
output log_tcpdump: icmp.pcap, limit 16
and to add a logrotate rule to handle the new .pcap file being
created
--
Shlomo Solomon
http://the-solomons.net
Thunderbird 140.3.1esr - KDE Plasma 5.27.12 - Kubuntu 24.04
|
_______________________________________________
Linux-il mailing list -- [email protected]
To unsubscribe send an email to [email protected]
