Visualizing nmap -sn / ARP Scans

[id1010...@gmail.com]

I'm playing around in my lab today and I'm having a hard time figuring out how I'd see an ARP scan such as: nmap -sn 192.168.1.1-255

Obviously the above scan doesn't produce any alerts when running a default setup with snort, but if I use wireshark/tshark to dissect the snort.log.1234567890 file in: /nsm/sensor_data/<interface>-eth1/dailylogs/timestandedfolder/

Then it's clear that a scan is taking place. But that doesn't seem realistic if I were trying to observe that in a saturated gigabit network.

Do you know a smarter way to do this?

Thanks,
Jay

[Wes]

Jay,

You may want to check downloaded.rules to see if any NMAP rules are disabled:

Ex. grep NMAP /etc/nsm/rules/downloaded.rules
or
Ex. grep "GPL SCAN PING NMAP" /etc/nsm/rules/downloaded.rules

You can enable them in /etc/nsm/pulledpork/enablesid.conf and then run rule-update for the changes to take effect.

Thanks,
Wes