Generating Alerts
To see if Snort is working, beyond just getting it to load without errors (not a trivial feat in itself), it is helpful to generate some alerts. The easiest way to do this to validate setup and configuration is to create a couple of testing rules, load them in Snort, and trigger them so you can check to see if they generate alerts as expected. Put your testing rules in the local.rules file that is located in the c:\Snort\rules directory.
- Open local.rules with a text editor such as Notepad++ or Wordpad.
- Move down beyond the commented header information to the first blank line. Start with some generic rules to test network traffic detection. Enter the following, all on one line: alert icmp any any -> any any (msg:”ICMP Testing Rule”; sid:1000001; rev:1;)
- Press Enter to move to a new line, and create another rule to check TCP traffic detection: alert tcp any any -> any 80 (msg:”TCP Testing Rule”; sid:1000002; rev:1;)
- Press Enter to move to a new line, and create another rule to check UDP traffic detection: alert udp any any -> any any (msg:”UDP Testing Rule”; sid:1000003; rev:1;)
- You can create any number of additional rules you like; just be sure to start each one on a new line.
- Save the file and exit the editor. Note: If you use Notepad, it is important to save the file as type “All Files” rather than the text documents default. The default will add “.txt” to the rule file name (so it will become local.rules.txt) and Snort will generate an error when it tries to load the file.
If you load these rules by starting Snort with the -A console option, when you test the rules by performing the steps listed below, you can see the output on the screen as it happens. Note that the startup command shown below uses interface #2, which is often the correct choice, but many systems have multiple network interfaces so it is a good idea to determine which one you want Snort to monitor by running the command snort -W to see the available interfaces.
- Open a command shell by locating Command Prompt in the Accessories of the Windows start menu.
- Right-click on Command Prompt and select “Run as administrator”
- Navigate to the directory where Snort is installed: c:\Windows\system32> cd \Snort\bin
- Start Snort: c:\Snort\bin> snort -i 2 -c c:\Snort\etc\snort.conf -A console
- Open another Command Prompt window, leaving Snort running in the first (you do not need to run the second one as administrator).
- Send a ping command to your local gateway (or any other host): c:\> ping 192.168.1.1
- Open a web browser and browse to any web page.
- You should see the alerts Snort produces in the first terminal shell where Snort is running.
Ordinarily, you won’t need to do anything special to generate UDP alerts, because the operating system already generates plenty of UDP activity (such as ARP requests and responses or SSDP traffic) when it is connected to a network. If you are running standalone and don’t see any UDP alerts, you can open a browser and enter a URL in the address bar; DNS lookups typically use UDP by default.