How to detect a couple of pings transmitted from a virtual machine to another by using Snort, which is integrated in AlienVault?

Question

For the record: I did the following instruction (found them on a website)

I enabled snort sensors (snort_syslog and snortunified).
In alienvault: ~# nano /etc/snort/rules/local.rules

I did the following rule

alert icmp 192.168.1.130 192.168.1.120 -> any any
(msg:"blablabla"; sid:1000004)

Save and exit

After that I did:

alienvault:~# perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/

alienvault:~# /etc/init.d/ossim-server restart

For some reasons nothing happens in AlienVault interface in SIEM when I ping 192.168.1.120 from 192.168.1.130.

Any ideas??

This might be my favorite SO question title yet. We programmers must sound like crazy people to non-techies... — Nerrolken, Jun 10 '15 at 19:22

score 0 · Answer 1 · answered Jul 08 '15 at 14:13

I don't know wether it is still relevant but in my opinion there is a mistake in your Snort rule:

The rule in Snort cannot consist of two IP-adresses in the first part of the rule header. At the point where you declared the IP '192.168.1.120' you have to declare a port.

The solution you need looks like the following (if i get you right):

alert icmp 192.168.120 any -> 192.168.1.130 any (msg:"blablabla"; sid:1000004)

And also the other way:

alert icmp 192.168.1.130 any -> 192.168.1.120 any (msg:"blablabla"; sid:1000005)

For writing rules in the correct syntax take a look at the manual of snort: http://manual.snort.org/node29.html#SECTION00423000000000000000

I hope that this can help you.

/Chris

How to detect a couple of pings transmitted from a virtual machine to another by using Snort, which is integrated in AlienVault?

Any ideas??

1 Answers1