local.rules not working

[cjimm...@gmail.com]

Just downloaded the latest version and installed. Trying to test ping alert using local.rules but unfortunately alert is not showing.

My rules is as follows:

alert icmp any any -> (msg:"ICMP Testing"; sid:1000001; rev:1:)

[Wes Lambert]

Please provide the output of sostat-redacted, attaching as a plain text file, or by using a service like Pastebin.com.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[KennyWap]

>
> My rules is as follows:
>
> alert icmp any any -> (msg:"ICMP Testing"; sid:1000001; rev:1:)

the rule is missing a little syntax, maybe try:

alert icmp any any -> $HOME_NET any (msg:"ICMP Testing"; sid:1000001; rev:1;)

and dont forget that the end is a semicolon and not a colon.

[cjimm...@gmail.com]

Tried as per your syntax, but still issue persists.

[cjimm...@gmail.com]

On Thursday, June 15, 2017 at 5:06:51 PM UTC+5:30, Wes wrote:
> Please provide the output of sostat-redacted, attaching as a plain text file, or by using a service like Pastebin.com.
>
>
> Thanks,
> Wes
>
>
> On Jun 15, 2017 6:07 AM, <cjimm...@gmail.com> wrote:
>
>
>
>
> Just downloaded the latest version and installed. Trying to test ping alert using local.rules but unfortunately alert is not showing.
>
>
>
> My rules is as follows:
>
>
>
> alert icmp any any -> (msg:"ICMP Testing"; sid:1000001; rev:1:)
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

PFA of sostat-redacted output

[Wes Lambert]

Is it simply not triggering, or causing an error?

Try checking /var/log/nsm/hostname-interface/snortu-1.log for clues and please post the exact rule syntax you are attempting to use.

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Wes Lambert]

Also ensure you run rule-update on the machine. 

[cjimm...@gmail.com]

I didn't see any error and run rule-update command also. PFA of snort-1 log

[cjimm...@gmail.com]

[Wes Lambert]

Have you tried something like this, in case you are not getting traffic to $HOME_NET?

alert icmp any any -> any any (msg: "ICMP Testing"; sid:1000001; rev:1;)

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[cjimm...@gmail.com]

[KennyWap]

After viewing your redacted sostat it seems that the ICMP and UDP rules are triggering:

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
1686 1:1000003 UDP Testing Rule
646 1:1000001 ICMP Testing Rule
2 1:2019512 ET POLICY Possible IP Check api.ipify.org
1 1:2100498 GPL ATTACK_RESPONSE id check returned root
Total
2335

=========================================================================
Last update
=========================================================================

Where is it that you cannot view them? in Sguil? ELSA?

[cjimm...@gmail.com]

Sguil.

[KennyWap]

Are you using SO with in a VM? I have had issues with Sguil when working with a snapshot and have not found a fix yet..

[cjimm...@gmail.com]

On Monday, June 26, 2017 at 8:28:44 PM UTC+5:30, KennyWap wrote:
> Are you using SO with in a VM? I have had issues with Sguil when working with a snapshot and have not found a fix yet..

Yes. I installed in a Hyper-V machine.

[Doug Burks]

If sostat shows Sguil events, I would expect the Sguil client to show events.

When you log into Sguil and it asks which networks to monitor are you
clicking the "Select All" button?


--
Doug Burks

[cjimm...@gmail.com]

> >> Are you using SO with in a VM? I have had issues with Sguil when working with a snapshot and have not found a fix yet..
> >
> > Yes. I installed in a Hyper-V machine.
>
> If sostat shows Sguil events, I would expect the Sguil client to show events.
>
> When you log into Sguil and it asks which networks to monitor are you
> clicking the "Select All" button?
>
>
> --
> Doug Burks

After select all interfaces also ICMP logs not showing in sguil. PFA local.rules

[Wes]

Do you see these alerts in Squert or ELSA?

Thanks,
Wes