Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Still trying to build this box

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 12 Mar 2013 11:53:17 -0500
On 3/12/2013 10:55, Jim Turner wrote:

Hello Waldo Kitty,

I watched a youtube video where the guy was able to test his logging by pinging
websites.


okay...


Is this no longer an activity that can be logged?


it can be if you have rules for such traffic and they are enabled as well as 
looking on the proper interface...


I suspect that I have successfully installed Snort. I would like to know if it
is working before I deploy the box on a network.

Is there any way to verify that everything is working perfectly?


not everything but... ;)

what some blogs and helpers recommend is to create a local.rules file and then 
create a rule in there that will alert on everything... make sure that 
local.rules is included in your snort.conf and that it is with your other rules 
files with the proper permissions... then restart snort... the "catch 
everything" rules would be something like these...


alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; 
sid:1; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; 
sid:2; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; sid:3; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; sid:4; 
rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; sid:5; 
rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; sid:6; 
rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; sid:7; 
rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; sid:8; 
rev:1;)


"any" used to be allowed as a protocol but when i tested it just now with snort 
2.9.3.1, it didn't like it at all...

you'll want to disable these as soon as possible and restart snort ;)



*From:*waldo kitty [mailto:wkitty42 () windstream net]
*Sent:* Tuesday, March 12, 2013 11:51 AM
*To:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Still trying to build this box

On 3/12/2013 09:03, Jim Turner wrote:
 > I have made progress since last night. Snort is now starting and not erroring on
 > the rules. I accomplished this by uninstalling and starting all over again. Now
 > I am just unable to log any of the data.

what are you expecting to log? snort will only log traffic that creates
alerts... regular/normal traffic should not create alerts... it only ran for 90
seconds...




------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: