How to detect a couple of pings transmitted from a virtual machine to another by using Snort, which is integrated in AlienVault?

Question

For the record: I did the following instruction (found them on a website)

1. I enabled snort sensors (snort_syslog and snortunified).

2. In alienvault: ~# nano /etc/snort/rules/local.rules

3. I did the following rule

   alert icmp 192.168.1.130 192.168.1.120 -> any any
   (msg:"blablabla"; sid:1000004)
   

4. Save and exit

5. After that I did:

   alienvault:~# perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/
   

6. alienvault:~# /etc/init.d/ossim-server restart

For some reasons nothing happens in AlienVault interface in SIEM when I ping 192.168.1.120 from 192.168.1.130.

Any ideas??

Answer 1

I don't know wether it is still relevant but in my opinion there is a mistake in your Snort rule:

The rule in Snort cannot consist of two IP-adresses in the first part of the rule header. At the point where you declared the IP '192.168.1.120' you have to declare a port.

The solution you need looks like the following (if i get you right):

alert icmp 192.168.120 any -> 192.168.1.130 any (msg:"blablabla"; sid:1000004)

And also the other way:

alert icmp 192.168.1.130 any -> 192.168.1.120 any (msg:"blablabla"; sid:1000005)

For writing rules in the correct syntax take a look at the manual of snort: http://manual.snort.org/node29.html#SECTION00423000000000000000

I hope that this can help you.

/Chris