Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some help on Snort testing

    Scheduled Pinned Locked Moved
    pfSense Packages
    2
    2
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jgaumtsac.edu
      last edited by

      I installed the Snort package, downloaded the rules, configured both WAN and LAN interfaces for Snort, and it seems working fine (service, snort interfaces are all up and green).  For testing purpose, I enable Snort_icmp-info.rules and all the rules inside the category.  The ping and nmap scan to the WAN and LAN interfaces do not generate any alert or block the attacker.  Any suggestion would be appreicated.

      Jim

      1 Reply Last reply Reply Quote 0
      • S
        sdb1031
        last edited by

        I believe that many of those rules are designed to alert when icmp traffic sourced from EXTERNAL_NET destined for HOME_NET.  So in order for those rules to alert,  a successful ping has to occur that matches those conditions.

        When I was testing snort,  I was pinging from a lan interface to a lan interface.  Since neither was from a network associated with EXTERNAL_NET I would never see an alert.  In order to get an alert to fire, I modified both EXTERNAL_NET and HOME_NET variables in one of the icmp rules to read "Any".  This way, you don't have to be concerned with where your traffic originates from.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post