[Snort-users] @empty rules files
wkitty42 at ...14940...
Thu Nov 14 05:46:13 EST 2013
On 11/14/2013 5:16 AM, anagha b wrote:
> I tried to log the snort response for icmp ping flood but I have to add the rule in
> local.rules file
> alert icmp any any -> any any (msg:"*ICMP test*"; classtype:bad-unknown;
> sid:10000016; rev:1;)
> barnyard giving following alert
> 11/14-15:22:01.905477 [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
> 11/14-15:22:02.036260 [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
> 11/14-15:22:02.037893 [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
> 11/14-15:22:02.189336 [**] [1:10000016:1] Snort Alert [1:10000016:1] [**]
> msg*icmp test* is not displayed .
this is because the sid-msg.map file is not updated with the sid, msg and other
information... you have to update your sid-msg.map file...
> I checked rule files are empty like ddos.rules , badtraffic.rules
> Is it okay to have empty rule files ?
yes... it generally means there are no rules in that 'category'...
> I am not getting log inside snort.log.
> When I am not specifying rule inside local.rules.
have you tried the steps outlined in the FAQ for "no alerts"?
> Or I have to specify my rules inside these empty files ? But I can include my
> file in snort.conf by writing my own rules then why to keep these empty files?
> or the snort-snapshot for rules is not properly extracted?
we cannot tell from your description... yes, you can specify rules in the
conf... but this is not a very good thing to do which is why other files are
included via the conf... can you provide a dir listing of your rules directory
so we can at least see what files you have with their sizes and dates?
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users