78
Chapter 3 Working with Snort Rules
The last part is the rule options and contains a message that will be logged
along with the alert.
The next rule isn't quite as bad. It generates alerts for all captured ICMP packets.
Again, this rule is useful to find out if Snort is working.
alert icmp any any > any any (msg: "ICMP Packet found";)
If you want to test the Snort machine, send a ping packet (which is basically ICMP
ECHO REQUEST packet on UNIX machines). Again, you can use this rule when you
install Snort to make sure that it is working well. As an example, send an ICMP packet to
your gateway address or some other host on the network using the following command:
ping 192.168.2.1
Note that 192.168.2.1 is the IP address of gateway/router or some other host on
the same network where the Snort machine is present. This command should be exe
cuted on the machine where you installed Snort. The command can be used both on
UNIX and Microsoft Windows machines.
T I P
I use a slightly modified version of this rule to continuously monitor multiple
Snort sensors just to make sure everybody is up and running. This rule is as follows:
alert icmp 192.168.1.4 any > 192.168.1.1 any (msg: "HEARTBEAT";)
My Snort sensor IP address is 192.168.1.4 and gateway address is 192.168.1.1. I
run the following command through cron daemon on the Linux machine to trigger
this rule every 10 minutes.
ping n 1 192.168.1.1
The command sends exactly one ICMP packet to the gateway machine. This packet
causes an alert entry to be created. If there is no alert every 10 minutes, there is
something wrong with the sensor.
3.3 CIDR
Classless Inter Domain Routing or CIDR is defined in RFC 1519. It was intended to
make better use of available Internet addresses by eliminating different classes (like
class A and class B). With the CIDR, you can define any number of bits in the netmask
field, which was not possible with class based networking where the number of bits
was fixed. Using CIDR, network addresses are written using the number of bits in the
netmask at the end of the IP address. For example, 192.168.1.0/24 defines a network
with network address 192.168.1.0 with 24 bits in the netmask. A netmask with 24 bits is
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved