[TriLUG] snort help

jason watts jsnthegod at hotmail.com
Tue Jun 20 19:25:30 EDT 2006

hello all again

i am trying to install BASE as part of my senior project.

i seem to be haveing a problem with snort. when i run the command snort -v 
-i4 and terminate it ctrl-c it shows that i have no alerts. i have added the 
following linds to the end of the snort.conf file

include $RULE_PATH/test.rules

alert tcp any any -> any any (msg:"TCP traffic";)

alert ip any any -> any any (msg:"Got an IP Packet"; 
classtype:not-suspicious; sid:2000000; rev:1;)
alert icmp any any -> any any (msg:"Got an ICMP Packet"; 
classtype:not-suspicious; sid:2000001; rev:1;)
alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800; 
reference:arachnids,246; classtype:bad-unknown; sid:2000499; rev:4;)

which for what i have read, should report any packet as an alert... however 
it does not.

i have restarted windows several times incase it needed a restart to 
recognize the changes to the config file the test.rules file contains the 
bottom 3 lines, (starting at alert ip any any)

i know its not running on a linux machine, but i was hopeing you guys had an 
idea were i could start looking to figure out why its not reporting any 
alerts, (im fairly certin its a problem with my conf... but, i followed the 
tutorial and it seems to not be working)

i can copy and past the .conf file in the email, but i didnt want to attach 
a HUGE HUGE file and clutter up everyones email's.


