Generating Alerts on Linux

To see if Snort is working, beyond just getting it to load without errors (not a trivial feat in itself), it is helpful to generate some alerts. The easiest way to do this to validate setup and configuration is to create a couple of testing rules, load them in Snort, and trigger them so you can check to see if they generate alerts as expected. Put your testing rules in the local.rules file that is located in the /etc/snort/rules directory.

  1. Open local.rules with a text editor: # nano local.rules
  2. Move down beyond the commented header information to the first blank line. Start with some generic rules to test network traffic detection. Enter the following, all on one line: alert icmp any any -> any any (msg:”ICMP Testing Rule”; sid:1000001; rev:1;)
  3. Press Enter to move to a new line, and create another rule to check TCP traffic detection: alert tcp any any -> any 80 (msg:”TCP Testing Rule”; sid:1000002; rev:1;)
  4. Press Enter to move to a new line, and create another rule to check UDP traffic detection: alert udp any any -> any any (msg:”UDP Testing Rule”; sid:1000003; rev:1;)
  5. You can create any number of additional rules you like; just be sure to start each one on a new line.
  6. Exit nano with Ctrl-X and confirm you want to save the changes by answering Yes.

If you are going to test Snort with these rules using unified2 output handled by Barnyard2, then you also need to make sure that each rule you write is recorded in the sid-msg.map file located in the /etc/snort directory. Barnyard2 references this mapping file to be able to record information about each alert beyond the signature identifier (sid). Edit sig-msg.map using nano, scroll to the very end of the file, and add a new line for each rule you have created. The syntax in the sig-msg.map file is <sid> || <description> so for example for the ICMP Testing Rule above, you would add a line that reads:
1000001 || ICMP TESTING

If you load these rules by starting Snort with the -A console option, when you test the rules by performing the steps listed below, you can see the output on the screen as it happens.

  1. Open a terminal session using the Dash Home search bar, entering “terminal,” and selecting the Terminal icon.
  2. Login as root using su or sudo su
  3. Navigate to the directory where Snort is installed: # cd /usr/local/bin
  4. Start Snort: # snort -c /etc/snort/snort.conf -A console
  5. Open another terminal session, leaving Snort running in the first.
  6. Send a ping command to your local gateway (or any other host): $ ping 192.168.1.1
  7. Press Ctrl-C to stop the ping process
  8. Open Firefox and browse to any web page
  9. You should see the alerts Snort produces in the first terminal shell where Snort is running.

Ordinarily, you won’t need to do anything special to generate UDP alerts, because the operating system already generates plenty of UDP activity when it is connected to a network. If you are running standalone and don’t see and UDP alerts, you can run a traceroute from the command line on any IP address or URL, such as: $ traceroute www.snort.org.