[Snort-users] not sure if I have this right

RR rehmanr at ...6488...
Wed Jul 31 08:38:08 EDT 2002


OK just for testing, use the following rule at the end of your snort.conf
file and ping to the host where snort is running (from some other machine)

alert icmp any any -> any any (msg: "ICMP ping packet";)

This will create alerts. Don't use this rule forever, this is bad!

_RR


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ian
Truelsen
Sent: Tuesday, July 30, 2002 5:23 PM
To: Snort User List
Subject: [Snort-users] not sure if I have this right


I set up snort the other day and I was wondering how I could go about
testing it.

So far it hasn't logged anything, which might be good news, but it also
might mean that I borked the setup.

Here is what I have:

snort 1.8.7 on the same box as my iptables based firewall. (Just out of
interest, will this tell me everything that is coming into the system or
just what gets past the firewall?)

Here is the network setup part of the conf:

var HOME_NET 192.168.100.0/24
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS !$HOME_NET

And here is the logging portion:

output alert_syslog: LOG_AUTH LOG_ALERT

Now, I don't use syslogd but metalog. However, as I understand it,
metalog is supposed to mimic the functionality of syslog and the
iptables logging works.

Can anyone see anything obvious that I have done wrong here, or is my
system just being graciously ignored at the moment :)

--
Ian Truelsen
Masters program in Philosophy
University of Manitoba, Winnipeg, Canada
BA (Wilfrid Laurier University)
Email: ian at ...6489...
Homepage: http://www.ihtruelsen.2y.net
PGP key available at: http://www.ihtruelsen.2y.net/pgp.html
and http://pgp.mit.edu (search 'ihtruelsen')





More information about the Snort-users mailing list