Differences

This shows you the differences between two versions of the page.

--- snort_2.9.6.1_centos_6.5 [2014/05/08 19:34] – admin
+++ snort_2.9.6.1_centos_6.5 [2014/05/09 07:11] – [Test rule] admin
@@ Line 10: / Line 10: @@
 ====Configure Snort====
   * Edit **/etc/sysconfig/snort**
+<code>
+mkdir -p /usr/local/lib/snort_dynamicrules
+chown -R snort:snort /usr/local/lib/snort_dynamicrules
+chmod -R 700 /usr/local/lib/snort_dynamicrules
+</code>
+Copy any dynamic rulesets you have or are using to the above directory.
+====Test rule====
+Put as last line in snot.conf
+  alert icmp any any -> 1.2.3.4 any (msg: "Gateway ping"; sid:10000001;)
+Find the alerts in the log
+<code>
+/09-09:00:07.648953  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
+/09-09:00:07.654956  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
+/09-09:00:07.660981  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
+/09-09:00:07.666729  [**] [1:10000001:0] Gateway ping [**] [Priority: 0] {ICMP} 6.7.8.9 -> 1.2.3.4
+</code>
+You can even show contents of the packets with tcpdump
+  tcpdump -r snort.log.1399615922