[Snort-users] generating an alert

Michael Steele michaels at ...155...
Thu Apr 17 17:33:09 EDT 2003


Rick,

Drop these into your local.rules. It will trigger on everything. I wouldn't
leave them on for too long as they will fill the database up very quickly.
Be sure to restart Snort after you add them. To disable them place a hash
mark in front of them and be sure to restart snort.

alert ip any any -> any any (msg:"Got an IP packet";)
alert tcp any any -> any any (msg:"Got an TCP packet";)
alert udp any any -> any any (msg:"Got an UDP packet";)
alert icmp any any -> any any (msg:"Got an ICMP packet";)

-Michael
-- 
 Michael Steele | System Engineer / Support Technician     
 mailto:michaels at ...155...    
 Silicon Defense - The Cyber-War Defense Company
 Website: http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rick S.
Sent: Thursday, April 17, 2003 4:32 PM
To: snort-users at lists.sourceforge.net

Hello
I am new to snort. I would like to run it in IDS mode. so I used

snort -D -s -c /etc/snort/snort.conf

Its the stock snort.conf.

In syslog it says it initialized fine.
How can I test it? I would to know that it works and will log alerts to
syslog. Is there a way that I can generate an alert to prove its worth?
thanx for your time.

Rick S.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list