[Snort-users] @empty rules files

anagha b banagha3 at ...11827...
Thu Nov 14 05:16:15 EST 2013


I tried to log the snort response for icmp ping flood but I have to add the
rule in

local.rules file

alert icmp any any -> any any (msg:"*ICMP test*"; classtype:bad-unknown;
sid:10000016; rev:1;)

barnyard giving following alert

11/14-15:22:01.905477  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
11/14-15:22:02.036260  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
11/14-15:22:02.037893  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
11/14-15:22:02.189336  [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]


msg* icmp test* is not displayed .

I checked  rule files are empty like ddos.rules , badtraffic.rules

Is it okay to have empty rule files ? I am not getting log inside
snort.log. When I am not specifying rule inside local.rules.

Or I have to specify my rules inside these empty files ? But I can include
my file in snort.conf by writing my own rules then why to keep these empty
files? or  the snort-snapshot for rules is not properly extracted?


Help needed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131114/c64326e6/attachment.html>


More information about the Snort-users mailing list