[Snort-users] Signature Problem

Kai Chan nahc285 at gmail.com
Fri Sep 8 18:44:13 EDT 2017


I am running Snort on Centos 7.3 in a lxc virtd container and
installed from the RPMs provided on snort.org and loaded it with the
registered, community, and free emerging threats rulesets.  It successfully
installed and runs, but I am only getting alerts on ICMP packets from a
local rule I added.  I followed the instructions from this UpCloud article (
https://www.upcloud.com/support/installing-snort-on-centos/) and I thought
it was working.

I only realized it wasn't working after spending a day trying to
penetration test using Metasploit and not being able to get Snort to alert
on any of the network attacks.  For a sanity test, I added signatures for
any TCP and UDP packets, but Snort failed to alert on any of the traffic.
Below are the local rules that were added:

alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;)
alert udp any any -> any any (msg:"UDP test"; sid:10000002; rev:001;)
alert tcp any any -> any any (msg:"TCP test"; sid:10000003; rev:001;)

As I said before, I get ICMP alerts, but if I try to browse a webpage or do
a DNS query, it still won't alert.  Tcpdump seems to work fine on the
container, so I don't understand why Snort wouldn't.  Did I forget to do

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170908/bf23805a/attachment.html>

More information about the Snort-users mailing list