Why is snort not logging?

Talks about most anything... No SPAM! No advertising! No lingo, ebonics, or street talk! Period! End of story...

Moderator: Forum Moderators

Why is snort not logging?

Postby wkitty42 » Mon Jul 22, 2013 1:09 pm

> Why snort is not logging?

you mean like alerting on any traffic? we use the following rules in a file named local-test.rules... it is just like local.rules, you put it in your snort rules directory with the proper permissions and ownership, add it to your snort.conf and restart snort... you should only let snort run for a minute because it can generate thousands of alerts per second with these rules... how many depends on your traffic and your machine's capabilities... then edit your snort.conf to comment out that rules file entry or remove it and restart your snort... then you can look at your alert and log files to see if traffic was recorded... if it was, then things are working properly... if it was not, then we have to look deeper...

Code: Select all
#
# The rules in this file are only to test a snort installation to see if it is
# seeing any traffic at all. These rules should NOT be used all the time. Once
# tested and working, this rule file should be commented out in your snort.conf
# so that it is not used.
#
#------------------
# LOCAL TEST RULES
#------------------

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; classtype:tcp-connection; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; classtype:tcp-connection; sid:2; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; classtype:unknown; sid:3; rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; classtype:unknown; sid:4; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; classtype:misc-activity; sid:5; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; classtype:misc-activity; sid:6; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; classtype:icmp-event; sid:8; rev:1;)
User avatar
wkitty42
solar system
 
Posts: 3731
Joined: Fri Mar 26, 2004 5:06 pm
Location: Central North Carolina, USA

Return to General Chat

Who is online

Users browsing this forum: CommonCrawl [Bot] and 0 guests