On Monday 23 June 2008 12:33, Alex wrote: > Hello all, > > Doresc sa pun un senzor care sa monitorizeze traficul din lan > (dezvoltatorii nostrii fac diverse teste care in unele situatii afecteaza > reteaua). Pentru asta am pus un snort-2.8.2.1 compilat cu suport de mysql > pe masina mea. Problema este ca nu logeaza deloc traficul icmp (vad ca pe > tcp si udp da alerte, dar pe icmp nu logeaza absolut nimic). Cum fac sa-i > spun sa activeze/logeze si alertele pentru icmp? > > Am verificat asta cu un ping -f de pe o statie din lan catre statia care > are snortul instalat, dar nimic. > > in /etc/snort/snort.conf am: > > var HOME_NET any > var EXTERNAL_NET any > include $RULE_PATH/icmp.rules > si am lasat comentata linia > # include $RULE_PATH/icmp-info.rules > > Cind pornesc snortul, vad asa: > [EMAIL PROTECTED] ~]# snort -c /etc/snort/snort.conf > ... > Stream5 global config: > Track TCP sessions: ACTIVE > Max TCP sessions: 8192 > Memcap (for reassembly packet storage): 8388608 > Track UDP sessions: INACTIVE > Track ICMP sessions: INACTIVE > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Am gasit in readme: The Stream5 preprocessor is a target-based TCP reassembly module for Snort. It is intended to replace both the Stream4 and flow preprocessors, and it is capable of tracking sessions for both TCP and UDP. With Stream5, the rule 'flow' and 'flowbits' keywords are usable with TCP as well as UDP traffic. Since Stream5 replaces Stream4, both cannot be used simultaneously. Remove the Stream4 and flow configurations from snort.conf when the Stream5 configuration is added. NOTE: ICMP is currently untested, in minimal code form and is NOT ready for use in production networks. It is not turned on by default. Deci, voi cum ati activat alertele pt ICMP? Alx _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug
