OpenAppID rules seem to download fine for me.
What interface are you running snort on ?
Run it on your LAN as you then see hosts pre NAT.
Yup the ping rule is a good test to see if snort is working.
If you change your ICMP rule slightly :-
alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:misc-activity;)
alert icmp $HOME_NET any -> !$HOME_NET any (msg:“ICMP test”; sid:10000001; rev:001;classtype:icmp-event;)
It should block outbound ICMP traffic.
andy@pi-3:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=14.8 ms
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 1 received, 83% packet loss, time 5160ms
rtt min/avg/max/mdev = 14.847/14.847/14.847/0.000 ms
andy@pi-3:~ $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2064ms
andy@pi-3:~ $
0_1527847252298_Untitled.jpeg