Signature Problem

[Kai Chan via Snort-users <snort-users () lists snort org>]

Hello,

I am running Snort 2.9.9.0 on Centos 7.3 in a lxc virtd container and
installed from the RPMs provided on snort.org and loaded it with the
registered, community, and free emerging threats rulesets.  It successfully
installed and runs, but I am only getting alerts on ICMP packets from a
local rule I added.  I followed the instructions from this UpCloud article (
https://www.upcloud.com/support/installing-snort-on-centos/) and I thought
it was working.

I only realized it wasn't working after spending a day trying to
penetration test using Metasploit and not being able to get Snort to alert
on any of the network attacks.  For a sanity test, I added signatures for
any TCP and UDP packets, but Snort failed to alert on any of the traffic.
Below are the local rules that were added:


alert icmp any any -> any any (msg:"ICMP test"; sid:10000001; rev:001;)
alert udp any any -> any any (msg:"UDP test"; sid:10000002; rev:001;)
alert tcp any any -> any any (msg:"TCP test"; sid:10000003; rev:001;)

As I said before, I get ICMP alerts, but if I try to browse a webpage or do
a DNS query, it still won't alert.  Tcpdump seems to work fine on the
container, so I don't understand why Snort wouldn't.  Did I forget to do
something?

Thanks,
Kai

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!