[Snort-users] Snort noob questions

Eric Fowler eric.fowler at ...11827...
Tue Apr 23 16:53:30 EDT 2013


The easiest way to test basic alert functionality:

- put an alert for all ICMP traffic into your rules file:
alert icmp any any <> any any (msg:"PING!";SID:1)
prompt-->snort -dev -c <path to rules file> -l /var/log/snort
- run ping forever

If that doesn't catch packets you are doing something very wrong.




On Tue, Apr 23, 2013 at 12:55 PM, Scott Bonar <sbonar at ...11827...> wrote:

>  Thanks.  I enabled the portscan preprocessor and ran the nmap command,
> but I am still not getting any alerts.
> What am I missing?
>
> Scott
>
> On 04/21/2013 06:02 PM, Caleb Jaren wrote:
>
> If this helps, I've always used an nmap Xmas scan against a host in the
> monitored segment. The scan (iirc) would be something like "nmap  -v -sX
> <target ip>".
>
> What Joel said re: clam vs. Snort.
> On Apr 19, 2013 1:43 PM, "Joel Esler" <jesler at ...1935...> wrote:
>
>>  On Apr 19, 2013, at 3:56 PM, Scott Bonar <sbonar at ...11827...> wrote:
>>
>> Hopefully some quick questions from a Snort 'noob'.
>>
>> 1) got Snort up and running but I was curious, what is the best way to
>> test it?
>>
>>
>>  Browse the internet for a bit!  ;)
>>
>>  No, really, maybe some metasploit, icmp traffic?  Something like that.
>>
>> 2) what is the difference between ClamAV and Snort since it appears as
>> if Snort has anti-virus/anti-spam/anti-phishing rules?
>>
>>
>>  ClamAV operates on files, on end hosts.  Snort is a network detection
>> tool that watches traffic as it goes by and stops it (if in IPS mode).  The
>> detection is written by the same people at the same time, so everything
>> that Snort has a rule for ClamAV also has a rule for.
>>
>>  --
>> *Joel Esler*
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Precog is a next-generation analytics platform capable of advanced
>> analytics on semi-structured data. The platform includes APIs for building
>> apps and a phenomenal toolset for data science. Developers can use
>> our toolset for easy data analysis & visualization. Get a free account!
>> http://www2.precog.com/precogplatform/slashdotnewsletter
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130423/878158d9/attachment.html>


More information about the Snort-users mailing list