[Snort-users] Still trying to build this box

waldo kitty wkitty42 at ...14940...
Tue Mar 12 12:53:17 EDT 2013


On 3/12/2013 10:55, Jim Turner wrote:
> Hello Waldo Kitty,
>
> I watched a youtube video where the guy was able to test his logging by pinging
> websites.

okay...

> Is this no longer an activity that can be logged?

it can be if you have rules for such traffic and they are enabled as well as 
looking on the proper interface...

> I suspect that I have successfully installed Snort. I would like to know if it
> is working before I deploy the box on a network.
>
> Is there any way to verify that everything is working perfectly?

not everything but... ;)

what some blogs and helpers recommend is to create a local.rules file and then 
create a rule in there that will alert on everything... make sure that 
local.rules is included in your snort.conf and that it is with your other rules 
files with the proper permissions... then restart snort... the "catch 
everything" rules would be something like these...


alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
sid:1; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
sid:2; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; sid:3; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; sid:4; 
rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; sid:5; 
rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; sid:6; 
rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; sid:7; 
rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; sid:8; 
rev:1;)


"any" used to be allowed as a protocol but when i tested it just now with snort 
2.9.3.1, it didn't like it at all...

you'll want to disable these as soon as possible and restart snort ;)


> *From:*waldo kitty [mailto:wkitty42 at ...14940...]
> *Sent:* Tuesday, March 12, 2013 11:51 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Still trying to build this box
>
> On 3/12/2013 09:03, Jim Turner wrote:
>  > I have made progress since last night. Snort is now starting and not erroring on
>  > the rules. I accomplished this by uninstalling and starting all over again. Now
>  > I am just unable to log any of the data.
>
> what are you expecting to log? snort will only log traffic that creates
> alerts... regular/normal traffic should not create alerts... it only ran for 90
> seconds...






More information about the Snort-users mailing list