questions about snort behavior

[May Smith <may24x () yahoo com>]

Hi all,
I'm pretty new to snort and have managed to deploy it along with barnyard2 and Snorby on a test VM (CentOS7 64Bit)
Now it's time to configure the components so they'll work together.
starting with snort, I realized some strange behaviors, which I'm unsure are fault or feature ... ;)
My config regarding the Networ-to-monitor is:# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.187.130/30

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET

I've another (virtual) machine listening to 192.168.178.135 and - for testing purposes - created the following 
rules:alert tcp any any -> any 22 (msg:"ssh access";sid:1000003;)
alert icmp 192.168.187.130 any -> any any (msg:"pings detected";sid:1000002;)
(for testing) my command line to start snort is: snort -A console -i eno16777736 -u snort -g snort -c 
/etc/snort/snort.conf

1. when I ping 'localhost', host is reachable but snort recognize nothing.2. when I ping 192.168.187.135, host is 
reachable but snort recognize nothing.3. when I ping google.com host is reachable and snort shows: 
04/15-07:34:46.978754  [**] [1:1000002:0] pings detected [**] [Priority: 0] {ICMP} 192.168.187.130 -> 98.138.253.109
Why ?
Almost the same behavior with ssh. localhost and 192.168.187.135 doesn't show anything. 
Loggin to another host ... fist doesn't show anything ... but when the session is closed, I see:04/15-07:37:20.656375  
[**] [1:1000003:0] ssh access [**] [Priority: 0] {TCP} 192.168.187.130:33760 -> xxx.xxx.xxx.xxx:22

I'd expected that snort would alert the moment someone triggers a ssh connection ... and not to wait until the ssh 
session is closed !
I've enabled unified logging in /etc/snort/snort.conf, but all I see in /var/log snort is:
/var/log/snort > ls -la

drwxr-xr-x   2 snort snort   34 15. Apr 07:28 .
drwxr-xr-x. 23 root  root  4096 15. Apr 06:24 ..
-rw-r--r--   1 snort snort     0 15. Apr 06:24 alert
-rw-------   1 snort snort    0 15. Apr 07:37 snort.log
Why ?
config entries are: 
# unified2 
# Recommended for most installs
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types

# Additional configuration for specific types of installs
output alert_unified2: filename snort.alert, limit 128, nostamp
output log_unified2: filename snort.log, limit 128, nostamp 
can you help me out ?
regardsMay


------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!