[Snort-users] Configuring Snort

Damien Hull dhull at ...15333...
Fri Aug 24 15:04:04 EDT 2012


I've snort installed but the rules don't seem to be working. Here's
what I have.

snort: 2.9.3.1
snort rules: 2.9.2.3
OS: Ubuntu 10.04 LTS
Other: Barnyard2

I know snort and barnyard2 are working. I added the following to
local.rules and it works.
          alert icmp any any -> any any (msg: "ICMP Packet found"; sid:1001;)

I commented out the dynamic detection stuff because that wasn't
loading. I was told my version of snort rules won't work with snort
2.9.3.1
          # path to dynamic rules libraries
          # dynamicdetection directory /usr/local/snort/lib/snort_dynamicrules

I have the scanning section configured. I thought that would allow me
to scan the system and snort would trigger an alert. No such luck.
         # Portscan detection.  For more information, see README.sfportscan
         preprocessor sfportscan: proto  { all } scan_type { all }
memcap { 10000000 } s$

Why does the simple rule in local.rules work but a port scan doesn't
get detected?




More information about the Snort-users mailing list