[Snort-users] Re: Snort-users digest, Vol 1 #1171 - 9 msgs

Bob Hillegas bobhillegas at ...3133...
Mon Oct 22 18:27:06 EDT 2001

On Mon, 22 Oct 2001 "snortlst snortlst" <snortlst at ...125...> wrote:

> From: "snortlst snortlst" <snortlst at ...125...>
> To: <snort-users at lists.sourceforge.net>
> Date: Mon, 22 Oct 2001 10:19:05 -0500
> Subject: [Snort-users] icmp
> I run snort on the sensor connected to internet switch to see traffic that
> comes to firewall.
> I see only ICMP traffic is logged to alert file.
> Why?
> Thanks.
Refer to "TCP/IP Illustrated, Volume 1, the Protocols" by W.Richard
Stevens for details.

TCP depends on a three packet handshake to complete a connection. ICMP
does not.

If your firewall DENYs externally originated communication (ie STN
packets), the connection never completes, you never see any interesting
payloads for snort to alert on.

For snort to educate you on possible intrusions, you need to be looking
over the shoulder (so to speak) of a vulnerable box. One that will let
anyone strike up a conversation and willingly accept any payload they want
to send. Without a willing host on the subnet, all your snort captured
traffic will be really boring, but safe.

See archives for prior discussions/arguments on using snort with a

Bob Hillegas
<bobhillegas at ...3133...>

More information about the Snort-users mailing list