[Snort-users] Configuring Snort

Marcos Rodriguez marcos.e.rodriguez at ...11827...
Fri Aug 24 15:35:52 EDT 2012


On Fri, Aug 24, 2012 at 3:04 PM, Damien Hull <dhull at ...15333...> wrote:

> I've snort installed but the rules don't seem to be working. Here's
> what I have.
>
> snort: 2.9.3.1
> snort rules: 2.9.2.3
> OS: Ubuntu 10.04 LTS
> Other: Barnyard2
>
> I know snort and barnyard2 are working. I added the following to
> local.rules and it works.
>           alert icmp any any -> any any (msg: "ICMP Packet found";
> sid:1001;)
>
> I commented out the dynamic detection stuff because that wasn't
> loading. I was told my version of snort rules won't work with snort
> 2.9.3.1
>           # path to dynamic rules libraries
>           # dynamicdetection directory
> /usr/local/snort/lib/snort_dynamicrules
>
> I have the scanning section configured. I thought that would allow me
> to scan the system and snort would trigger an alert. No such luck.
>          # Portscan detection.  For more information, see README.sfportscan
>          preprocessor sfportscan: proto  { all } scan_type { all }
> memcap { 10000000 } s$
>
> Why does the simple rule in local.rules work but a port scan doesn't
> get detected?
>
>
Hiya Damien,

Sounds like maybe you're not loading your preprocessor.rules file.  The
portscan rules are in that file, under preproc_rules.  Does this line exist
in your current snort.conf:

var PREPROC_RULE_PATH ../preproc_rules


marcos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120824/498e15d9/attachment.html>


More information about the Snort-users mailing list