Re: ACID and ICMP

[roman () danyliw com]

James,

- What rules used to get triggered in Snort 1.7
with the nmap scan?  Have you confirmed that these
exact rules are present in you Snort 1.8 configuration.

- When you exit out of Snort and see the protocol
stats, can you confirm that Snort saw TCP/UDP
traffic?  If Snort lists no TCP/UDP traffic then
mostly likely do not having it pointing at the
correct interface.

- Try temporarily turning of the stream4 preprocessor
(it does stateful inspection and reassembly), do
you see alerts now?

Roman

> Forgive me if this has be hashed and re-hashed alrady, but I just 
> installed the latest versions of Snort, and ACID. ACID seems to be 
> working well. I notices my two sensors, but the problem is, All I get 
> are ICMP destination unreachable messages logged. No TCP no UDP no 
> portscans.
>
> I fired up nmap against one system and I got the  same thing. I am used 
> to the 1.7 version logging all kinds of info when I run:
>
> $ nmap -O -p1-65535 -sT host
>
> But not this time.
>
> Any help would be appreciated!
>
> Thanks
>
> -James
>
>
> -- 
> James Kelty
> Sr. Unix Systems Administrator
> The Ashland Agency
> 541.488.0801
> jamesk () ashlandagency com
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users