Test Snort Local.Rules
Go here, C:Snort ules, and open local.rules in wordpad.
After the text, we will add 3 alert rules,
to test and see if Snort will detect traffic based on a local rule:
alert icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP test Jeremy"; sid:10000001;)
alert udp $HOME_NET any -> $HOME_NET any (msg:"UDP test Jeremy"; sid:10000002;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP test Jeremy"; sid:10000003;)
Then, open a command line prompt.
snort –i 1 –c c:Snortetcsnort.conf –A console
Tip: this might not always be 1 (snort –i 1 –c c:Snortetcsnort.conf –A console).
Run this command to get the right number:
To test the first rule (ICMP), just ping another device in the LAN,
and snort should detect this ICMP traffic.
By default, the network will already have UDP traffic,
so we should start to see UDP traffic appear.
Lastly, open a web browser and go to any website, and we should see TCP traffic.
Once we can see that Snort is detecting these three rules,
we should have a high degree of trust that Snort is good to go.
We will want to remove these 3 rules from the local.rules file,
and then start Snort, and let it do it’s thing.
Real Snort config
In the rules file here, C:Snort ules, the following rules should be added.
We add this rule to log ping-of-death attacks
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"External ICMP"; sid:10000002;)
We add this rule to learn of unknown external TCP connections into our network/machines
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"External TCP"; sid:10000002;)
How to know if traffic is good or bad
Enter this command into a command line prompt:
For example, I didn’t know what 18.104.22.168 was. Using this technique,
I found it was teamviwer. I configured teamviewer to not run as a service.
If you get “non-existent domain”, then look up the IP address here, like this:
http://whatismyipaddress.com/ip/22.214.171.124 Quick jump start with Snort