Using Snort as a simple IDS

In my previous blog (Testing Snort 2.7.0 Beta 1) , I described about my endeavour to install Snort 2.7.0Beta1. After successfully install Snort, I want to create a simple IDS rule and use my Snort as a simple IDS.

To test Snort as an IDS, first I created a simple rule like the following :


Then I started Snort using the following command :



I open up another Konsole, and ping localhost :


In Snort window, I press Ctrl-C. Snort will appear as not responding to Ctrl-C, but in fact it’s waiting for the first packet.

In other Konsole, I ping the localhost again :


In Snort window, the display will be like the following :


You can see that Snort is actually responding to our Ctrl-C press after it received the first packet matching its rules.

From the figure above, we can see that Snort received 10 packets and it analyzed 2 (two) ICMP packets. Those packets generated 5 alerts and 5 log entries.

In the tests/ directory we can see that Snort has created two files :


And here is the alert file contents :


Our Snort has analyzed ICMP packets according to the rule we’ve created.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s