For the record: I did the following instruction (found them on a website)

  1. I enabled snort sensors (snort_syslog and snortunified).
  2. In alienvault: ~# nano /etc/snort/rules/local.rules

  3. I did the following rule

    alert icmp 192.168.1.130 192.168.1.120 -> any any
    (msg:"blablabla"; sid:1000004)
    
  4. Save and exit

  5. After that I did:

    alienvault:~# perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
    
  6. alienvault:~# /etc/init.d/ossim-server restart

For some reasons nothing happens in AlienVault interface in SIEM when I ping 192.168.1.120 from 192.168.1.130.

Any ideas??

1

There are 1 answers

0
Chris On

I don't know wether it is still relevant but in my opinion there is a mistake in your Snort rule:

The rule in Snort cannot consist of two IP-adresses in the first part of the rule header. At the point where you declared the IP '192.168.1.120' you have to declare a port.

The solution you need looks like the following (if i get you right):

alert icmp 192.168.120 any -> 192.168.1.130 any (msg:"blablabla"; sid:1000004)

And also the other way:

alert icmp 192.168.1.130 any -> 192.168.1.120 any (msg:"blablabla"; sid:1000005)

For writing rules in the correct syntax take a look at the manual of snort: http://manual.snort.org/node29.html#SECTION00423000000000000000

I hope that this can help you.

/Chris