Topic: Need help ! Over 40,000 snort alerts on ICMP after upgrade

[paulfung]

Just upgrade to 7.1.3 after a small problem on user-manager it looks OK.

But then, over 40000 alert is record on ICMP within my snort + base system, all source IP is my own externel IP. (I am using a pppoe setip with a fix IP.)

I looks like to me that is is the pppoe interface call to the ISP's server and some other IP (all source IP is my Ext IP, and only 4 outside IP is Des.)

These alert are :
[arachNIDS] [local] [snort] ICMP PING BSDtype  ----- over 19,000 in 8 hours
[local] [snort] ICMP PING *NIX   ----- over 18,000 in 8 hours
[local] [snort] ICMP PING   ------ over 19,000 in 8 hours

I have try to disble this logging with many way, but it just didn't work out, the alerts are still flooding in....

===============

some ways I have tried are :

/sbin/e-smith/db configuration setprop masq Stealth yes
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
service masq restart

OR

/sbin/iptables -A OUTPUT -o eth1 -p ICMP -s [ext_IP_Address] --icmp-type 8 -j LOG

OR

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

===============

Is it a real hacking ? (it did look like one to me.....)

Or is it a bug ?

Did any one got a idea  on this ?

[paulfung]

Now over 95000 alert after 16 hours ......

Any one know how to set a firewall rule to skip these log ?

[okepc]

Just disable the icmp rule in snort, this is normal traffic and nothing to worry about.

I have no access to the server atm but i thoughed you can disable the rule somewhere through the snort updaterscript, so you won't run into throuble at the next update.

So either fix snort.conf or the updater script to exlcude icmp.rules.

This event indicates an icmp echo request originating from the common
utility known as 'ping'.

This event in nature is in its natural state is used to measure the health
and or availability of an ip protocol on a network connected device
through the use of an icmp echo request.

[paulfung]

Finaly fixed the problem.

As in the snort.conf file, it stated :
============
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
#   chat, multimedia, and p2p
============

But there is still a line generated by the template :
============
include $RULE_PATH/icmp-info.rules
============

The solution is :

Edit the file "/etc/e-smith/templates/etc/snort/snort.conf/90Rules"

change From :
============
{
    @all_file = `ls /etc/snort/rules |grep .rules`;
    foreach my $file (@all_file)
    {
        $OUT .= "include \$RULE_PATH/".$file."\n";
    }

}
============

To :

============
{
    @all_file = `ls /etc/snort/rules |grep .rules`;
    foreach my $file (@all_file)
    {
        $remk = "";
        if ($file eq "icmp-info.rules\n")
        {
            $remk = "#";
        }
        $OUT .= $remk."include \$RULE_PATH/".$file."\n";
    }

}
============

Then :

============
expand-template /etc/snort/snort.conf
service snortd restart
============

Now snort did work normal for me now...... hope that will help someone with the same problem.

[mmccarn]

If you want your customized template to survive an update to the snort contrib you will need to

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/snort/snort.conf
cd /etc/e-smith/templates-custom/etc/snort/snort.conf/90Rules
cp /etc/e-smith/templates/etc/snort/snort.conf/90Rules .
(note the "." at the end of the last line...)