Snort mailing list archives

Previous By Date Next
Previous By Thread Next

can't get snort (patched for snortsam) to trigger on a test rule

From: rgr () sdf lonestar org (Rob Ristroph)
From: rgr () sdf lonestar org (Robert G. Ristroph)
Date: Tue, 23 Aug 2005 14:41:25 -0500

Hi,

        I am running Debian testing.  I was running snort from the
        debian packages for a while, but I decided to incorporate
        snortsam to actually block attacking IPs and to do that I had
        to uninstall the debian snort package, and get the snort
        source and patch it, and install snort from source.

        My problem is that snort doesn't trigger on anything.

        I made a test rule and put it in /etc/snort/rules/test.rules,
        which says:

alert icmp $HOME_NET any -> 1.2.3.4 any (msg:"ICMP test rule";
fwsam:dst,30 sec;)

        I remembered to include test.rules from /etc/snort/snort.conf.

        When I start snort and ping 1.2.3.4 from the machine running
        snort or from other machines, nothing happens.

        While debugging this, I eventually quit using the snort
        startup script, I am currently running it from the comand line
        like this:

/usr/local/bin/snort -m 027 -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=192.168.0.0/16 
-i eth0

        Note that I took out the -D.  I also removed square brackets
        that used to go around the 192.168.0.0/16 on the advice of
        someone on #snort on freenode.

        Note that if I run

snort -dvi eth0 | grep 1\.2\.3\.4

        While I am pinging 1.2.3.4, I get the output:

08/23-14:39:48.391792 70.112.100.20 -> 1.2.3.4
08/23-14:39:49.391742 70.112.100.20 -> 1.2.3.4
08/23-14:39:50.391682 70.112.100.20 -> 1.2.3.4

        So I am pretty sure I am connected to the right interface.

        Any help at all would be appreciated.

--Rob


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: