[Snort-users] can't get snort (patched for snortsam) to trigger on a test rule

Rob Ristroph rgr at ...10749...
Tue Aug 23 12:43:25 EDT 2005


Hi,

        I am running Debian testing.  I was running snort from the
        debian packages for a while, but I decided to incorporate
        snortsam to actually block attacking IPs and to do that I had
        to uninstall the debian snort package, and get the snort
        source and patch it, and install snort from source.

        My problem is that snort doesn't trigger on anything.

        I made a test rule and put it in /etc/snort/rules/test.rules,
        which says:

alert icmp $HOME_NET any -> 1.2.3.4 any (msg:"ICMP test rule";
fwsam:dst,30 sec;)

        I remembered to include test.rules from /etc/snort/snort.conf.

        When I start snort and ping 1.2.3.4 from the machine running
        snort or from other machines, nothing happens.

        While debugging this, I eventually quit using the snort
        startup script, I am currently running it from the comand line
        like this:

/usr/local/bin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=192.168.0.0/16 -i eth0

        Note that I took out the -D.  I also removed square brackets
        that used to go around the 192.168.0.0/16 on the advice of
        someone on #snort on freenode.

        Note that if I run

snort -dvi eth0 | grep 1\.2\.3\.4

        While I am pinging 1.2.3.4, I get the output:

08/23-14:39:48.391792 70.112.100.20 -> 1.2.3.4
08/23-14:39:49.391742 70.112.100.20 -> 1.2.3.4
08/23-14:39:50.391682 70.112.100.20 -> 1.2.3.4

        So I am pretty sure I am connected to the right interface.

        Any help at all would be appreciated.

--Rob




More information about the Snort-users mailing list