LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-21-2005, 01:23 AM   #1
zahra79
LQ Newbie
 
Registered: Apr 2005
Posts: 13

Rep: Reputation: 0
Unhappy Snort Alerts ??


hi
i disabled all rules in snort and i write a rule :
alert icmp 192.168.1.213 any -> 192.168.1.212 any (msg:" PING !!!!"
but when i enter this command
nmap -sX -p 22,25,53,110,80 192.168.*.210-214
i see things same as :

** ORIGINAL DATAGRAM DUMP:
192.168.1.212:110 -> 192.168.1.213:59530
TCP TTL:128 TOS:0x0 ID:57147 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x30842827 Win: 0x0 TcpLen: 20
** END OF DUMP


OR

[**] [122:1:0] (portscan) TCP Portscan [**]
06/20-14:34:37.852199 192.168.1.213 -> 192.168.1.210
PROTO255 TTL:0 TOS:0x0 ID:41950 IpLen:20 DgmLen:161

[**] [122:1:0] (portscan) TCP Portscan [**]
06/20-14:35:30.904632 192.168.1.213 -> 192.168.60.210
PROTO255 TTL:0 TOS:0x0 ID:61479 IpLen:20 DgmLen:160

i can not know why this happend?
because i have one rule that in this i specified when Source IP=192.168.1.213 and Destination IP address =192.168.1.212 then alert me but ......
why???
can u help me please???
 
Old 06-21-2005, 08:07 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
nmap -sX isn't an icmp scan..

See man nmap for details..

There must be some rules loaded for the tcp detection to make alerts..
 
Old 06-21-2005, 08:15 AM   #3
zahra79
LQ Newbie
 
Registered: Apr 2005
Posts: 13

Original Poster
Rep: Reputation: 0
but i disabled all of rules by webmin and i have one rule !!!
i can not underestand why this happend...
i want to know why this happend
can u help me about it??
 
Old 06-21-2005, 08:50 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Try starting snort with the -c option and specify an empty file, eg
snort -c /root/empty

This should load an empty rules file..
I don't have access to a running snort to try this on. It may protest if the file is empty.

The manual doesn't describe this command as an exclude or include option..http://216.239.59.104/search?q=cache...client=firefox
 
Old 06-22-2005, 12:51 AM   #5
zahra79
LQ Newbie
 
Registered: Apr 2005
Posts: 13

Original Poster
Rep: Reputation: 0

in front of snort with -c option must write path of snort.conf not rule .
i sure this . i read this in some books.
how can i do now ??
 
Old 06-22-2005, 06:11 AM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Oops.. Now that I read it properly I can see..

Did you ask on the Snort mailing list?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort alerts lord-fu Linux - Security 1 11-25-2005 04:28 PM
Snort does not log alerts soren625 Linux - Security 0 02-10-2005 07:35 AM
Suggestions for best way to get snort alerts zuessh Linux - Security 9 08-29-2004 10:40 PM
Snort only alerts snmp gummimann Linux - Security 5 02-04-2004 02:03 PM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 05:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration