Snort mailing list archives
can't get snort (patched for snortsam) to trigger on a test rule
From: rgr () sdf lonestar org (Rob Ristroph)
From: rgr () sdf lonestar org (Robert G. Ristroph)
Date: Tue, 23 Aug 2005 14:41:25 -0500
Hi, I am running Debian testing. I was running snort from the debian packages for a while, but I decided to incorporate snortsam to actually block attacking IPs and to do that I had to uninstall the debian snort package, and get the snort source and patch it, and install snort from source. My problem is that snort doesn't trigger on anything. I made a test rule and put it in /etc/snort/rules/test.rules, which says: alert icmp $HOME_NET any -> 1.2.3.4 any (msg:"ICMP test rule"; fwsam:dst,30 sec;) I remembered to include test.rules from /etc/snort/snort.conf. When I start snort and ping 1.2.3.4 from the machine running snort or from other machines, nothing happens. While debugging this, I eventually quit using the snort startup script, I am currently running it from the comand line like this: /usr/local/bin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=192.168.0.0/16 -i eth0 Note that I took out the -D. I also removed square brackets that used to go around the 192.168.0.0/16 on the advice of someone on #snort on freenode. Note that if I run snort -dvi eth0 | grep 1\.2\.3\.4 While I am pinging 1.2.3.4, I get the output: 08/23-14:39:48.391792 70.112.100.20 -> 1.2.3.4 08/23-14:39:49.391742 70.112.100.20 -> 1.2.3.4 08/23-14:39:50.391682 70.112.100.20 -> 1.2.3.4 So I am pretty sure I am connected to the right interface. Any help at all would be appreciated. --Rob ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- can't get snort (patched for snortsam) to trigger on a test rule Rob Ristroph (Aug 23)