Debugging Snort Rules
Problem
A rule isn't doing what it should be. How can you find out why?
Solution
Isolate your rules, and test them one by one in a simple file by using the following syntax:
snort -i eth0 -n 1 -c filename
Discussion
This allows you to test each rule for correctness. Each rule should parse properly; Snort will exit after it receives one packet. Unfortunately, this only checks that the rule is correctly formed. It doesn't ensure that your logic is right. If a rule isn't doing what you are expecting it to, take it back to first principals:
- Are you carrying out the right action (Pass, Log, Alert, Dynamic or Activate)?
- Are you looking at the right protocol (TCP or UDP)?
- Are you using only one protocol per rule?
- Are you looking at the right source and destination addresses?
- Are you looking at the right source and destination ports?
- Is your rule running in the right direction (->, <-, or <>)?
- Are you looking for the right thing?
- Are you suppressing the rule anywhere?
Sometimes it might be wise to start from a clean sheet. The most persistent errors are the ones that you look over time and time again until you begin again, at which point they become obvious.
See Also
Snort Users Manual
Building a Distributed IDS (Plain Text)
|