To see if Snort is working, beyond just getting it to load without errors (not a trivial feat in itself), it is helpful to generate some alerts. The easiest way to do this to validate setup and configuration is to create a couple of testing rules, load them in Snort, and trigger them so you can check to see if they generate alerts as expected. Put your testing rules in the local.rules file that is located in the /etc/snort/rules directory.
If you are going to test Snort with these rules using unified2 output handled by Barnyard2, then you also need to make sure that each rule you write is recorded in the sid-msg.map file located in the /etc/snort directory. Barnyard2 references this mapping file to be able to record information about each alert beyond the signature identifier (sid). Edit sig-msg.map using nano, scroll to the very end of the file, and add a new line for each rule you have created. The syntax in the sig-msg.map file is <sid> || <description> so for example for the ICMP Testing Rule above, you would add a line that reads:
1000001 || ICMP TESTING
If you load these rules by starting Snort with the -A console option, when you test the rules by performing the steps listed below, you can see the output on the screen as it happens.
Ordinarily, you won’t need to do anything special to generate UDP alerts, because the operating system already generates plenty of UDP activity when it is connected to a network. If you are running standalone and don’t see and UDP alerts, you can run a traceroute from the command line on any IP address or URL, such as: $ traceroute www.snort.org.