Snort mailing list archives
Signature Problem
From: Kai Chan via Snort-users <snort-users () lists snort org>
Date: Fri, 8 Sep 2017 18:44:13 -0400
Hello, I am running Snort 2.9.9.0 on Centos 7.3 in a lxc virtd container and installed from the RPMs provided on snort.org and loaded it with the registered, community, and free emerging threats rulesets. It successfully installed and runs, but I am only getting alerts on ICMP packets from a local rule I added. I followed the instructions from this UpCloud article ( https://www.upcloud.com/support/installing-snort-on-centos/) and I thought it was working. I only realized it wasn't working after spending a day trying to penetration test using Metasploit and not being able to get Snort to alert on any of the network attacks. For a sanity test, I added signatures for any TCP and UDP packets, but Snort failed to alert on any of the traffic. Below are the local rules that were added: alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;) alert udp any any -> any any (msg:"UDP test"; sid:10000002; rev:001;) alert tcp any any -> any any (msg:"TCP test"; sid:10000003; rev:001;) As I said before, I get ICMP alerts, but if I try to browse a webpage or do a DNS query, it still won't alert. Tcpdump seems to work fine on the container, so I don't understand why Snort wouldn't. Did I forget to do something? Thanks, Kai
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Signature Problem Kai Chan via Snort-users (Sep 08)
- Re: Signature Problem wkitty42 (Sep 08)
- Re: Signature Problem Kai Chan via Snort-users (Sep 09)
- Re: Signature Problem wkitty42 (Sep 08)