[Snort-users] not sure if I have this right

RR rehmanr at ...6488...
Wed Jul 31 08:38:08 EDT 2002

OK just for testing, use the following rule at the end of your snort.conf
file and ping to the host where snort is running (from some other machine)

alert icmp any any -> any any (msg: "ICMP ping packet";)

This will create alerts. Don't use this rule forever, this is bad!


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ian
Sent: Tuesday, July 30, 2002 5:23 PM
To: Snort User List
Subject: [Snort-users] not sure if I have this right

I set up snort the other day and I was wondering how I could go about
testing it.

So far it hasn't logged anything, which might be good news, but it also
might mean that I borked the setup.

Here is what I have:

snort 1.8.7 on the same box as my iptables based firewall. (Just out of
interest, will this tell me everything that is coming into the system or
just what gets past the firewall?)

Here is the network setup part of the conf:


And here is the logging portion:

output alert_syslog: LOG_AUTH LOG_ALERT

Now, I don't use syslogd but metalog. However, as I understand it,
metalog is supposed to mimic the functionality of syslog and the
iptables logging works.

Can anyone see anything obvious that I have done wrong here, or is my
system just being graciously ignored at the moment :)

Ian Truelsen
Masters program in Philosophy
University of Manitoba, Winnipeg, Canada
BA (Wilfrid Laurier University)
Email: ian at ...6489...
Homepage: http://www.ihtruelsen.2y.net
PGP key available at: http://www.ihtruelsen.2y.net/pgp.html
and http://pgp.mit.edu (search 'ihtruelsen')

More information about the Snort-users mailing list