Debugging Snort Rules

Problem

A rule isn't doing what it should be. How can you find out why?

Solution

Isolate your rules, and test them one by one in a simple file by using the following syntax:

snort -i eth0 -n 1 -c filename

 

Discussion

This allows you to test each rule for correctness. Each rule should parse properly; Snort will exit after it receives one packet. Unfortunately, this only checks that the rule is correctly formed. It doesn't ensure that your logic is right. If a rule isn't doing what you are expecting it to, take it back to first principals:

Sometimes it might be wise to start from a clean sheet. The most persistent errors are the ones that you look over time and time again until you begin again, at which point they become obvious.

See Also

Snort Users Manual

Building a Distributed IDS (Plain Text)

Категории