Snort 配置死胡同

Question

I'm in a dead end at the configuration of snort.

In theory a simple problem.

I created a test rule to check if snort runs properly.

Location:\etc\snort\rules\local.rules

Content:

alert icmp any any -> $HOME_NET any (msg:"ICMP on fire"; sid:10000001; rev:001;)

Then I ran on terminal:

 sudo snort -T -i enp0s3  -c /etc/snort/snort.conf 

Message I receive at the end of the initialization:

 "Snort successfully validated the configuration!"

 "Snort exiting"

But scrolling up I'm seeing:

Initializing rule chains...
0 Snort rules read
0 detection rules
0 decoder rules
0 preprocessor rules
0 Option Chains linked into 0 Chain Headers

No rules at all!

location is correct in conf file under

/etc/snort/snort.conf

 var RULE_PATH /etc/snort/rules

Snort 2.9.17 Build 199 Ubuntu 20.04

Any ideas?Thnnks in advance!

Answer 1

I would recommend supplying the rule path when you execute Snort using the "--rule-path" flag.

Answer 2

The --rule-path flag is not available and not recognized. As far I understand this variable is just that, a variable that's not used anywhere in the configuration file. The only way/workaround that I found was include the rule files for ex.

In the snort.conf appending this.

.
.
.
.

include c:\local.rules

Besides that, someone found a way to match content in answer/response? I mean, let suppose that I want to check if the server has answer with a known content, for ex: success . I've tried with bidirectional operator <> and flow:to_client but nothing has worked.