Run a Business Network on Linux: Intrusion Detection (Part 4)

"This is a quick and easy way to test Snort and make sure it's doing something. Enter this rule in /etc/snort/rules/local.rules:

alert tcp any any -> $HOME_NET any (msg:"this is only a test"; sid:99887766;)

It means "alert on any TCP packet from any IP address and any port number entering my local network; print the message "this is only a test" in the logfile, and give this rule a made-up ID number that hopefully doesn't conflict with any of the rule SIDs that already exist in /etc/snort/rules. "

Complete Story

Related Stories:

• Using Snort: Part 1: Installation and Configuration(Jun 10, 2008)
• Four Good Choices for Your Next IDS(Mar 19, 2008)
• Nmap based open source vulnerability detection(May 22, 2007)
• Perfect Setup Of Snort + Base + PostgreSQL On Ubuntu 6.06 LTS(Apr 30, 2007)