Re: [Snort-users] ICMP / drop.

Hi,

Rudi Starcevic wrote:
> Hi,
>
>> But please note that TCP/IP *needs* ICMP on order to work properly.
>
>
> Thanks - sorry such novice questions.
> I am working through a Snort book right now - guess I should get a TCP
> one next.

Taking it the other way would probably be the better one... ;)

>
> I've had Snort up and running only for a day or so and noticed an IP
> that first pinged
> me then followed up with loads of request on all sorts of ports which
> triggered dozens
> of alerts.

Sounds to me like a normal nmap scan. Prepare to handle several ones a
day.

>
> So I had the silly idea to drop icmp packets and be anonymous.

That won't work no matter what you do - except pulling the plug - of
course ;) but that's not the deal, I guess.

> As I now know you'll also end up lonely if you drop icmp packets :-)
> So it not really possible be anonymous. The machine just has to deal
> with the
> requests asked of it. The first step is to monitor those requests with
> something like Snort.

You may want to try tcpdump or/and (even better) Ethereal. One possible
scenario ist to capture the traffic with tcpdump and visualize it with
Ethereal. Etheral has some neat functions like "follow the tcp stream"
so you may follow the communication between two hosts.

>
> I guess in this case I should look at SnortSam for someone who triggers
> multiple alerts
>
> Thanks
> Rudi.
>

Regards,
Edin

--
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users