[Snort-users] Snort Tests?

mulhern mulhern at ...11827...
Fri Jul 19 13:20:22 EDT 2013


Thanks!
It turns out that that approach probably makes most sense for my current
needs and it sure is simple.
- mulhern


On Wed, Jul 17, 2013 at 1:06 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 7/17/2013 10:02, mulhern wrote:
> > Supposing you have Snort up and running is their any set of available
> standard
> > tests that you can run to see if it is actually working?
>
> you mean like alerting on any traffic? sure... we use the following rules
> in a
> file named local-test.rules... just like local.rules, put it in place with
> the
> proper permissions, add it to your snort.conf and restart snort... only
> let it
> run a minute because it can generate thousands of alerts per second
> depending on
> your traffic and your machine's capabilities... then edit your snort.conf
> to
> comment it out or remove it and restart your snort...
>
> ----- snip -----
> #
> # The rules in this file are only to test a snort installation to see if
> it is
> seeing any traffic at all.
> # These rules should NOT be used all the time. Once tested and working,
> this
> rule file should be commented
> # out in your snort.conf so that it is not used.
> #
> #------------------
> # LOCAL TEST RULES
> #------------------
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound";
> classtype:tcp-connection; sid:1; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound";
> classtype:tcp-connection; sid:2; rev:1;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound";
> classtype:unknown; sid:3; rev:1;)
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound";
> classtype:unknown; sid:4; rev:1;)
> alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound";
> classtype:misc-activity; sid:5; rev:1;)
> alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound";
> classtype:misc-activity; sid:6; rev:1;)
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound";
> classtype:icmp-event; sid:7; rev:1;)
> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound";
> classtype:icmp-event; sid:8; rev:1;)
>
> ----- snip -----
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130719/8bc780c0/attachment.html>


More information about the Snort-users mailing list