Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #1171 - 9 msgs

From: Bob Hillegas <bobhillegas () pdq net>
Date: Mon, 22 Oct 2001 20:25:08 -0500 (CDT)


On Mon, 22 Oct 2001 "snortlst snortlst" <snortlst () hotmail com> wrote:


From: "snortlst snortlst" <snortlst () hotmail com>
To: <snort-users () lists sourceforge net>
Date: Mon, 22 Oct 2001 10:19:05 -0500
Subject: [Snort-users] icmp

I run snort on the sensor connected to internet switch to see traffic that
comes to firewall.
I see only ICMP traffic is logged to alert file.
Why?

Thanks.



Refer to "TCP/IP Illustrated, Volume 1, the Protocols" by W.Richard
Stevens for details.

TCP depends on a three packet handshake to complete a connection. ICMP
does not.

If your firewall DENYs externally originated communication (ie STN
packets), the connection never completes, you never see any interesting
payloads for snort to alert on.

For snort to educate you on possible intrusions, you need to be looking
over the shoulder (so to speak) of a vulnerable box. One that will let
anyone strike up a conversation and willingly accept any payload they want
to send. Without a willing host on the subnet, all your snort captured
traffic will be really boring, but safe.

See archives for prior discussions/arguments on using snort with a
firewall.

-- 
-------------------------------------------------
Bob Hillegas
<bobhillegas () pdq net>
281.546.9311



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: