[TriLUG] snort help
jason watts
jsnthegod at hotmail.com
Tue Jun 20 19:25:30 EDT 2006
hello all again
i am trying to install BASE as part of my senior project.
i seem to be haveing a problem with snort. when i run the command snort -v
-i4 and terminate it ctrl-c it shows that i have no alerts. i have added the
following linds to the end of the snort.conf file
include $RULE_PATH/test.rules
alert tcp any any -> any any (msg:"TCP traffic";)
alert ip any any -> any any (msg:"Got an IP Packet";
classtype:not-suspicious; sid:2000000; rev:1;)
alert icmp any any -> any any (msg:"Got an ICMP Packet";
classtype:not-suspicious; sid:2000001; rev:1;)
alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800;
reference:arachnids,246; classtype:bad-unknown; sid:2000499; rev:4;)
which for what i have read, should report any packet as an alert... however
it does not.
i have restarted windows several times incase it needed a restart to
recognize the changes to the config file the test.rules file contains the
bottom 3 lines, (starting at alert ip any any)
i know its not running on a linux machine, but i was hopeing you guys had an
idea were i could start looking to figure out why its not reporting any
alerts, (im fairly certin its a problem with my conf... but, i followed the
tutorial and it seems to not be working)
i can copy and past the .conf file in the email, but i didnt want to attach
a HUGE HUGE file and clutter up everyones email's.
jsn
More information about the TriLUG
mailing list