Snort Alerts ??
hi
i disabled all rules in snort and i write a rule : alert icmp 192.168.1.213 any -> 192.168.1.212 any (msg:" PING !!!!";) but when i enter this command nmap -sX -p 22,25,53,110,80 192.168.*.210-214 i see things same as : ** ORIGINAL DATAGRAM DUMP: 192.168.1.212:110 -> 192.168.1.213:59530 TCP TTL:128 TOS:0x0 ID:57147 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x30842827 Win: 0x0 TcpLen: 20 ** END OF DUMP OR [**] [122:1:0] (portscan) TCP Portscan [**] 06/20-14:34:37.852199 192.168.1.213 -> 192.168.1.210 PROTO255 TTL:0 TOS:0x0 ID:41950 IpLen:20 DgmLen:161 [**] [122:1:0] (portscan) TCP Portscan [**] 06/20-14:35:30.904632 192.168.1.213 -> 192.168.60.210 PROTO255 TTL:0 TOS:0x0 ID:61479 IpLen:20 DgmLen:160 i can not know why this happend? because i have one rule that in this i specified when Source IP=192.168.1.213 and Destination IP address =192.168.1.212 then alert me but ...... why???:scratch: can u help me please???:confused: |
nmap -sX isn't an icmp scan..
See man nmap for details.. There must be some rules loaded for the tcp detection to make alerts.. |
but i disabled all of rules by webmin and i have one rule !!!
i can not underestand why this happend... i want to know why this happend can u help me about it??:confused: |
Try starting snort with the -c option and specify an empty file, eg
snort -c /root/empty This should load an empty rules file.. I don't have access to a running snort to try this on. It may protest if the file is empty. The manual doesn't describe this command as an exclude or include option..http://216.239.59.104/search?q=cache...client=firefox |
:eek:
in front of snort with -c option must write path of snort.conf not rule . i sure this . i read this in some books. how can i do now ?? |
Oops.. Now that I read it properly I can see..
Did you ask on the Snort mailing list? |
All times are GMT -5. The time now is 01:34 AM. |