“This is a quick and easy way to test Snort and make sure it’s
doing something. Enter this rule in
/etc/snort/rules/local.rules:alert tcp any any -> $HOME_NET any (msg:”this is only a
test”; sid:99887766;)It means “alert on any TCP packet from any IP address and any
port number entering my local network; print the message “this is
only a test” in the logfile, and give this rule a made-up ID number
that hopefully doesn’t conflict with any of the rule SIDs that
already exist in /etc/snort/rules. “