How to verify that Snort is operating
Source: JP Vossen, CISSP - Posted by Joe Shakespeare   
Intrusion Detection Is your new Snort system running too quietly? Whether you're new to using Snort or you've deployed it on a new platform -- a low-noise level may have you worried. It could be a tightly-tuned (or too tightly-tuned) system, or you may have the IDS residing on a quiet network segment. Fortunately, several methods exist for testing Snort over the wire to ensure it's working properly in your environment.

To start, you can run it in sniffer mode from the command line, which will confirm that the network card is working properly, a span port is enabled (see Network-based IDS: How to deal with switches and segments) and Snort is actually seeing traffic. In the case where you're using more than one network interface card (NIC) (see How many interfaces does my sensor need?), you'll need to define the exact one for Snort to use. To find the name of the interface in Linux/Unix, use ifconfig; and in Windows, use snort -W. Then, use snort –vi (interface name); for example snort –vi eth1 in Linux or snort –vi 2 in Windows, to tell Snort which NIC to sniff. If everything is working you'll get a stream of packet header information (similar to tcpdump/windump) scrolling up the screen faster than you can read it. Press -C to stop the capture and review packet statistics such as the number of packets analyzed, a breakdown by protocol, fragmentation and more. Also experiment with the –d (dump) and –q (quiet) switches to see how they affect the output.

You can manually check Snort using the "ICMP Large ICMP Packet" rule. In order for this test to work, you'll need to make sure you have not disabled "ICMP Large ICMP Packet" rule and that it's possible to send an ICMP packet larger than 800 bytes from a network defined as $EXTERNAL_NET into the network defined as $HOME_NET (see your snort.conf file and How should I define Snort's configuration variables?). If those conditions are met, either of the following should trigger an alert: ping -s 1024 {target host} (Linux) or ping -l 1024 (target host) (Windows). If neither test works, then Snort likely isn't working and/or packets aren't getting through. A brute force troubleshooting method is to add some simple rules to the very bottom of your snort.conf:

Read this full article at JP Vossen, CISSP

Only registered users can write comments.
Please login or register.

Powered by AkoComment!