Need some help on Snort testing
I installed the Snort package, downloaded the rules, configured both WAN and LAN interfaces for Snort, and it seems working fine (service, snort interfaces are all up and green). For testing purpose, I enable Snort_icmp-info.rules and all the rules inside the category. The ping and nmap scan to the WAN and LAN interfaces do not generate any alert or block the attacker. Any suggestion would be appreicated.
I believe that many of those rules are designed to alert when icmp traffic sourced from EXTERNAL_NET destined for HOME_NET. So in order for those rules to alert, a successful ping has to occur that matches those conditions.
When I was testing snort, I was pinging from a lan interface to a lan interface. Since neither was from a network associated with EXTERNAL_NET I would never see an alert. In order to get an alert to fire, I modified both EXTERNAL_NET and HOME_NET variables in one of the icmp rules to read "Any". This way, you don't have to be concerned with where your traffic originates from.