hi
i disabled all rules in snort and i write a rule :
alert icmp 192.168.1.213 any -> 192.168.1.212 any (msg:" PING !!!!"
but when i enter this command
nmap -sX -p 22,25,53,110,80 192.168.*.210-214
i see things same as :

** ORIGINAL DATAGRAM DUMP:
192.168.1.212:110 -> 192.168.1.213:59530
TCP TTL:128 TOS:0x0 ID:57147 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x30842827 Win: 0x0 TcpLen: 20
** END OF DUMP


OR

[**] [122:1:0] (portscan) TCP Portscan [**]
06/20-14:34:37.852199 192.168.1.213 -> 192.168.1.210
PROTO255 TTL:0 TOS:0x0 ID:41950 IpLen:20 DgmLen:161

[**] [122:1:0] (portscan) TCP Portscan [**]
06/20-14:35:30.904632 192.168.1.213 -> 192.168.60.210
PROTO255 TTL:0 TOS:0x0 ID:61479 IpLen:20 DgmLen:160

i can not know why this happend?
because i have one rule that in this i specified when Source IP=192.168.1.213 and Destination IP address =192.168.1.212 then alert me but ......
why???
can u help me please???

nmap -sX isn't an icmp scan..

See man nmap for details..

There must be some rules loaded for the tcp detection to make alerts..

but i disabled all of rules by webmin and i have one rule !!!
i can not underestand why this happend...
i want to know why this happend
can u help me about it??

Try starting snort with the -c option and specify an empty file, eg
snort -c /root/empty

This should load an empty rules file..
I don't have access to a running snort to try this on. It may protest if the file is empty.

The manual doesn't describe this command as an exclude or include option..http://216.239.59.104/search?q=cache...client=firefox

in front of snort with -c option must write path of snort.conf not rule .
i sure this . i read this in some books.
how can i do now ??

Oops.. Now that I read it properly I can see..

Did you ask on the Snort mailing list?