3.2 The First Bad Rule
Here is the first (very) bad rule. In fact, this may be the worst rule ever written, but it does a very good job of testing if Snort is working well and is able to generate alerts.
alert ip any any -> any any (msg: "IP Packet detected";)
You can use this rule at the end of the snort.conf file the first time you install Snort. The rule will generate an alert message for every captured IP packet. It will soon fill up your disk space if you leave it there! This rule is bad because it does not convey any information. What is the point of using a rule on a permanent basis that tells you nothing other than the fact that Snort is working? This should be your first test to make sure that Snort is installed properly. In the next section, you will find information about the different parts of a Snort rule. However for the sake of completeness, the following is a brief explanation of different words used in this rule:
The word “alert” shows that this rule will generate an alert message when the criteria are met for a captured packet. The criteria are defined by the words that follow.
The “ip” part shows that this rule will be applied on all IP packets.
The first “any” is used for source IP address and shows that the rule will be applied to all packets.
The second “any” is used for the port number. Since port numbers are irrelevant at the IP layer, the rule will be applied to all packets.
The -> sign shows the direction of the packet.
The third “any” is used for destination IP address and shows that the rule will be applied to all packets irrespective of destination IP address.
The fourth “any” is used for destination port. Again it is irrelevant because this rule is for IP packets and port numbers are irrelevant.
The last part is the rule options and contains a message that will be logged along with the alert.
The next rule isn't quite as bad. It generates alerts for all captured ICMP packets. Again, this rule is useful to find out if Snort is working.
alert icmp any any -> any any (msg: "ICMP Packet found";)
If you want to test the Snort machine, send a ping packet (which is basically ICMP ECHO REQUEST packet on UNIX machines). Again, you can use this rule when you install Snort to make sure that it is working well. As an example, send an ICMP packet to your gateway address or some other host on the network using the following command:
Note that 192.168.2.1 is the IP address of gateway/router or some other host on the same network where the Snort machine is present. This command should be executed on the machine where you installed Snort. The command can be used both on UNIX and Microsoft Windows machines.
I use a slightly modified version of this rule to continuously monitor multiple Snort sensors just to make sure everybody is up and running. This rule is as follows:
alert icmp 192.168.1.4 any -> 192.168.1.1 any (msg: "HEARTBEAT";)
My Snort sensor IP address is 192.168.1.4 and gateway address is 192.168.1.1. I run the following command through cron daemon on the Linux machine to trigger this rule every 10 minutes.
ping -n 1 192.168.1.1
The command sends exactly one ICMP packet to the gateway machine. This packet causes an alert entry to be created. If there is no alert every 10 minutes, there is something wrong with the sensor.