Snort mailing list archives
Re: Snort-users digest, Vol 1 #1171 - 9 msgs
From: Bob Hillegas <bobhillegas () pdq net>
Date: Mon, 22 Oct 2001 20:25:08 -0500 (CDT)
On Mon, 22 Oct 2001 "snortlst snortlst" <snortlst () hotmail com> wrote:
From: "snortlst snortlst" <snortlst () hotmail com> To: <snort-users () lists sourceforge net> Date: Mon, 22 Oct 2001 10:19:05 -0500 Subject: [Snort-users] icmp I run snort on the sensor connected to internet switch to see traffic that comes to firewall. I see only ICMP traffic is logged to alert file. Why? Thanks.
Refer to "TCP/IP Illustrated, Volume 1, the Protocols" by W.Richard Stevens for details. TCP depends on a three packet handshake to complete a connection. ICMP does not. If your firewall DENYs externally originated communication (ie STN packets), the connection never completes, you never see any interesting payloads for snort to alert on. For snort to educate you on possible intrusions, you need to be looking over the shoulder (so to speak) of a vulnerable box. One that will let anyone strike up a conversation and willingly accept any payload they want to send. Without a willing host on the subnet, all your snort captured traffic will be really boring, but safe. See archives for prior discussions/arguments on using snort with a firewall. -- ------------------------------------------------- Bob Hillegas <bobhillegas () pdq net> 281.546.9311 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort-users digest, Vol 1 #1171 - 9 msgs Bob Hillegas (Oct 22)