Snort mailing list archives
Re: Snort Tests?
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 17 Jul 2013 13:06:45 -0400
On 7/17/2013 10:02, mulhern wrote:
Supposing you have Snort up and running is their any set of available standard tests that you can run to see if it is actually working?
you mean like alerting on any traffic? sure... we use the following rules in a file named local-test.rules... just like local.rules, put it in place with the proper permissions, add it to your snort.conf and restart snort... only let it run a minute because it can generate thousands of alerts per second depending on your traffic and your machine's capabilities... then edit your snort.conf to comment it out or remove it and restart your snort... ----- snip ----- # # The rules in this file are only to test a snort installation to see if it is seeing any traffic at all. # These rules should NOT be used all the time. Once tested and working, this rule file should be commented # out in your snort.conf so that it is not used. # #------------------ # LOCAL TEST RULES #------------------ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; classtype:tcp-connection; sid:1; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; classtype:tcp-connection; sid:2; rev:1;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; classtype:unknown; sid:3; rev:1;) alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; classtype:unknown; sid:4; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; classtype:misc-activity; sid:5; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; classtype:misc-activity; sid:6; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; classtype:icmp-event; sid:7; rev:1;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; classtype:icmp-event; sid:8; rev:1;) ----- snip ----- -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Tests? mulhern (Jul 17)
- Re: Snort Tests? Lawrence Teo (Jul 17)
- Re: Snort Tests? waldo kitty (Jul 17)
- Re: Snort Tests? mulhern (Jul 19)
- <Possible follow-ups>
- Re: Snort Tests? Keith A . Glass (Jul 17)
- Re: Snort Tests? mulhern (Jul 17)
- Re: Snort Tests? Joel Esler (Jul 17)
- Re: Snort Tests? mulhern (Jul 17)
- Re: Snort Tests? mulhern (Jul 17)
- Re: Snort Tests? Keith A . Glass (Jul 17)
- Re: Snort Tests? mulhern (Jul 17)