i'm currently workign on getting snort up and running. i'm getting it to work with mysql and acid. as of now, it seems to be working, but if i portscan my computer, it won't detect it. and it only seems to be detecting random icmp packets. which is odd b/c i'm supposed to be blocking those using iptables and so i can't even ping myself:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere
i assume because i'm getting feedback from acid, that snort is actually communicating with my sql server and acid is getting those results. but they're not the one's i'm looking for.
i currently have all the rules for snort enabled, recently downloaded, and the threshold.conf file disabled. whats going on here?
Unique Alerts: 2 ( 1 categories )
Total Number of Alerts: 4
Source IP addresses: 2
Dest. IP addresses: 2
Unique IP links 2
Source Ports: 0
TCP ( 0) UDP ( 0)
Dest. Ports: 0
TCP ( 0) UDP ( 0)
[snort] ICMP Destination Unreachable (Port Unreachable) misc-activity 3 (75%) 1 1 1 2004-02-03 16:10:06 2004-02-03 16:10:12
[arachNIDS][snort] ICMP PING CyberKit 2.2 Windows misc-activity 1 (25%) 1 1 1 2004-02-03 16:18:31 2004-02-03 16:18:31
the source address for the top one, icmp destination unreachable, are from my computer to my computer. which makes sense since i tried to ping myself after putting in the iptables thing.
that's all i have after a nikto scan and like 3 port scans. the only thing that shows up should be something that shouldn't be showing up.
UPDATE: it also began detecting my AIM converstaions....as it should have. so i had a bunch of tcp alerts in there telling me i was using aim. i have since shut it down. but still, other than that, all it picks up are icmp packets. i ahve also since flushed my iptables just to make sure they don't interfere with anything i'm doing with snort.//