[Snort-users] can't get snort (patched for snortsam) to trigger on a test rule
rgr at ...10749...
Tue Aug 23 12:43:25 EDT 2005
I am running Debian testing. I was running snort from the
debian packages for a while, but I decided to incorporate
snortsam to actually block attacking IPs and to do that I had
to uninstall the debian snort package, and get the snort
source and patch it, and install snort from source.
My problem is that snort doesn't trigger on anything.
I made a test rule and put it in /etc/snort/rules/test.rules,
alert icmp $HOME_NET any -> 18.104.22.168 any (msg:"ICMP test rule";
I remembered to include test.rules from /etc/snort/snort.conf.
When I start snort and ping 22.214.171.124 from the machine running
snort or from other machines, nothing happens.
While debugging this, I eventually quit using the snort
startup script, I am currently running it from the comand line
/usr/local/bin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=192.168.0.0/16 -i eth0
Note that I took out the -D. I also removed square brackets
that used to go around the 192.168.0.0/16 on the advice of
someone on #snort on freenode.
Note that if I run
snort -dvi eth0 | grep 1\.2\.3\.4
While I am pinging 126.96.36.199, I get the output:
08/23-14:39:48.391792 188.8.131.52 -> 184.108.40.206
08/23-14:39:49.391742 220.127.116.11 -> 18.104.22.168
08/23-14:39:50.391682 22.214.171.124 -> 126.96.36.199
So I am pretty sure I am connected to the right interface.
Any help at all would be appreciated.
More information about the Snort-users