Reputation: 1
How to detect a couple of pings transmitted from a virtual machine to another by using Snort, which is integrated in AlienVault?
For the record: I did the following instruction (found them on a website)
- I enabled snort sensors (
snort_syslogandsnortunified). In alienvault:
~# nano /etc/snort/rules/local.rulesI did the following rule
alert icmp 192.168.1.130 192.168.1.120 -> any any (msg:"blablabla"; sid:1000004)Save and exit
After that I did:
alienvault:~# perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/alienvault:~# /etc/init.d/ossim-server restart
For some reasons nothing happens in AlienVault interface in SIEM when I ping 192.168.1.120 from 192.168.1.130.
Any ideas??
Upvotes: 0
Views: 632
Answers (1)
Reputation: 31
I don't know wether it is still relevant but in my opinion there is a mistake in your Snort rule:
The rule in Snort cannot consist of two IP-adresses in the first part of the rule header. At the point where you declared the IP '192.168.1.120' you have to declare a port.
The solution you need looks like the following (if i get you right):
alert icmp 192.168.120 any -> 192.168.1.130 any (msg:"blablabla"; sid:1000004)
And also the other way:
alert icmp 192.168.1.130 any -> 192.168.1.120 any (msg:"blablabla"; sid:1000005)
For writing rules in the correct syntax take a look at the manual of snort: http://manual.snort.org/node29.html#SECTION00423000000000000000
I hope that this can help you.
/Chris
Upvotes: 0
Related Questions
- Snort not detecting Pings with other devices
- Security Onion monitor interface in vmware
- How to monitor packets using Snort features?
- sniffing packets from different VM's in Oracle VM VirtualBox
- use scapy sniff the icmp packet which is send to machine C by machine B at machine A
- Reading the captured packet header features in snort
- Java - Detect a ping
- Read the alert log from snort
- Ping between two different VMs on two different computers
- Capture live network traffic from a virtual machine using python