> > I was figuring I could sniff the packets leaving my > > network and look for ICMP port unreachables since it would be > > a dead giveaway that someone was trying to light up the TCP ports > > of one of our computers. > > Why not simply use a 'sane' implementation of ICMP class filtering, > such as offered in cisco IOS 10.3, to simply block specific classes > of ICMP traffic? > Paul Ferguson > US Sprint tel: 703.689.6828 > Managed Network Engineering internet: paul@hawk.sprintmrn.com Maybe I am missing something, but I think the suggestion here is to watch for ICMP packets as an indication that port scanning was taking place, not to prevent it. This is IDS after all, not FIREWALLS 8-). Blocking ICMP packets wouldn't do anything towards this aim. Now, blocking the traffic while logging the traffic might do the trick. Brian Utterback blu@mc.com Manager Technical Networks Mercury Computer Systems, Inc. (508) 256-1300x168 199 Riverneck Road (508) 256-3599 FAX Chelmsford, MA 01824 You can't grep dead trees.