[Snort-users] Signature Problem
nahc285 at gmail.com
Fri Sep 8 18:44:13 EDT 2017
I am running Snort 22.214.171.124 on Centos 7.3 in a lxc virtd container and
installed from the RPMs provided on snort.org and loaded it with the
registered, community, and free emerging threats rulesets. It successfully
installed and runs, but I am only getting alerts on ICMP packets from a
local rule I added. I followed the instructions from this UpCloud article (
https://www.upcloud.com/support/installing-snort-on-centos/) and I thought
it was working.
I only realized it wasn't working after spending a day trying to
penetration test using Metasploit and not being able to get Snort to alert
on any of the network attacks. For a sanity test, I added signatures for
any TCP and UDP packets, but Snort failed to alert on any of the traffic.
Below are the local rules that were added:
alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;)
alert udp any any -> any any (msg:"UDP test"; sid:10000002; rev:001;)
alert tcp any any -> any any (msg:"TCP test"; sid:10000003; rev:001;)
As I said before, I get ICMP alerts, but if I try to browse a webpage or do
a DNS query, it still won't alert. Tcpdump seems to work fine on the
container, so I don't understand why Snort wouldn't. Did I forget to do
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users