[Snort-users] MySql-Acid logging

Michael Steele michaels at ...155...
Fri Apr 18 13:36:06 EDT 2003


Drop these into your local.rules. It will trigger on everything. I wouldn't
leave them on for too long as they will fill the database up very quickly.
Be sure to restart Snort after you add them. To disable them place a hash
mark in front of them and be sure to restart snort.

alert ip any any -> any any (msg:"Got an IP packet";)
alert tcp any any -> any any (msg:"Got an TCP packet";)
alert udp any any -> any any (msg:"Got an UDP packet";)
alert icmp any any -> any any (msg:"Got an ICMP packet";)

BTW, I posted this exact same reply yesterday.

 Michael Steele | System Engineer / Support Technician     
 mailto:michaels at ...155...    
 Silicon Defense - The Cyber-War Defense Company
 Website: http://www.silicondefense.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Cilin
Sent: Friday, April 18, 2003 12:57 PM
To: snort-users at lists.sourceforge.net

Hi guys, 

I just set up Snort as a service and all the juicy
programs along with it. When I open the acid_main.php
i have no evidence of any intrusion(everything is 0).
Do you guys know a program or a way i can generate an
alert so i test to see if my configuration works.

Also would a port scan be considered an alert, because
i try scanning from a home network but no alerts were 
detected. I am blaming this on the network switch
rather than the alert problem.

thnks for any input in advance, 

"Knowing others is wisdom, knowing yourself is Enlightenment." -Lao Tzu

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list