I'm in a dead end at the configuration of snort.
In theory a simple problem.
I created a test rule to check if snort runs properly.
Location:\etc\snort\rules\local.rules
Content:
alert icmp any any -> $HOME_NET any (msg:"ICMP on fire"; sid:10000001; rev:001;)
Then I ran on terminal:
sudo snort -T -i enp0s3 -c /etc/snort/snort.conf
Message I receive at the end of the initialization:
"Snort successfully validated the configuration!"
"Snort exiting"
But scrolling up I'm seeing:
Initializing rule chains...
0 Snort rules read
0 detection rules
0 decoder rules
0 preprocessor rules
0 Option Chains linked into 0 Chain Headers
No rules at all!
location is correct in conf file under
/etc/snort/snort.conf
var RULE_PATH /etc/snort/rules
Snort 2.9.17 Build 199 Ubuntu 20.04
Any ideas?Thnnks in advance!
I would recommend supplying the rule path when you execute Snort using the "--rule-path" flag.
The --rule-path
flag is not available and not recognized. As far I understand this variable is just that, a variable that's not used anywhere in the configuration file. The only way/workaround that I found was include the rule files for ex.
In the snort.conf appending this.
.
.
.
.
include c:\local.rules
Besides that, someone found a way to match content in answer/response? I mean, let suppose that I want to check if the server has answer with a known content, for ex: success
. I've tried with bidirectional operator <>
and flow:to_client
but nothing has worked.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.