--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
the rule is missing a little syntax, maybe try:
alert icmp any any -> $HOME_NET any (msg:"ICMP Testing"; sid:1000001; rev:1;)
and dont forget that the end is a semicolon and not a colon.
Tried as per your syntax, but still issue persists.
PFA of sostat-redacted output
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
1686 1:1000003 UDP Testing Rule
646 1:1000001 ICMP Testing Rule
2 1:2019512 ET POLICY Possible IP Check api.ipify.org
1 1:2100498 GPL ATTACK_RESPONSE id check returned root
Total
2335
=========================================================================
Last update
=========================================================================
Where is it that you cannot view them? in Sguil? ELSA?
Sguil.
Yes. I installed in a Hyper-V machine.
After select all interfaces also ICMP logs not showing in sguil. PFA local.rules
Do you see these alerts in Squert or ELSA?
Thanks,
Wes