[Snort-users] (no subject)

wkitty42 at windstream.net wkitty42 at windstream.net
Mon Feb 5 11:57:36 EST 2018

On 02/05/2018 11:38 AM, Paul O'Brien wrote:
> I typically get 50-100 alerts a day until 2 days ago. 2 days ago I changed
> the vlan configuration on my router. It was configured improperly. I have
> checked to make sure everything is loaded and running. Guess I need to look
> into how to make an any to any alert. I remotely remember testing something
> similar during setup.

any-to-any rules are easy... i use the following local-test.rules for initial 
testing to make sure snort is seeing traffic...

----->8 snip 8<-----
# The rules in this file are only to test a snort installation to see if it is 
seeing any traffic at all.
# These rules should not be used all the time. Once tested and working, this 
rule file should be commented
# out in your snort.conf so that it is not used.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; 
classtype:tcp-connection; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; 
classtype:tcp-connection; sid:2; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; 
classtype:unknown; sid:3; rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; 
classtype:unknown; sid:4; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; 
classtype:misc-activity; sid:5; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; 
classtype:misc-activity; sid:6; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
classtype:icmp-event; sid:8; rev:1;)
----->8 snip 8<-----

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*

More information about the Snort-users mailing list