Re: [Snort-users] Re: I don't get any alerts when reading from file.
This is a discussion on Re: [Snort-users] Re: I don't get any alerts when reading from file. within the Snort forums, part of the System Security and Security Related category; How did you create the tcpdump file? What was the command line you used with tcpdump? Can you try running ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-03-2004
|
|||
|
|||
Re: [Snort-users] Re: I don't get any alerts when reading from file.
How did you create the tcpdump file? What was the command line you
used with tcpdump? Can you try running Snort like this: snort -c snort.conf -A console -b -r test.txt What makes you think that every packet should be generating an alert? Which SID do you expect to be firing? You might want to start with a simpler test to just detect the specific alert that you're looking for. You could even write a custom rule for it... -Marty On Aug 2, 2004, at 5:03 AM, dimopoulos@mhl.tuc.gr wrote: > Still, I should have been able to get alerts for infected UDP files, > right? I get absolutely NO alerts! Any other ideas? > >> A lot of the snort signatures require an established connection (TCP >> handshake). Look for "flow:established" in the rule. If your pcap >> file >> only contains the packets with the signatures and not the entire >> session, snort will not trigger on them. >> >> That's just my guess... >> >> On Fri, 30 Jul 2004 12:55:29 +0300 (EEST), dimopoulos@mhl.tuc.gr >> <dimopoulos@mhl.tuc.gr> wrote: >>> Hullo. >>> I'm using snort 2.1.3 on Windows 2000 SP4, on a 1.5 GHz Pentium 4 >>> processor with 512 MB and have libcap 3.0. For the past days I've >>> been >>> trying in vain to get snort to read from a file and log the alerts, >>> yet nothing happens. I've editted snort.conf to include all the rule >>> files and set all adresses to 'any'. For a typical execution I use: >>> snort.exe -c snort.conf -r test.txt (test.txt is a random tcp dump >>> file i have created using Ethereal and every packet in the file >>> contains a signature.) I can see that the rules are read successfully >>> from the '.rule' files "2060 Snort rules read... >>> 2060 Option Chains ;inked into 254 Chain Headers" >>> At the results section the "Breakdown by protocol:" is correct but >>> the >>> actions are all 0 (alerts=0,logged=0,passed=0). When I use -vd I can >>> see the header and the data of the packets are all ok (and should >>> generate alerts). I've tried the various -A switches, no change. >>> After >>> reading both the manual and the FAQ I still haven't found anything. >>> Am >>> I blind and have missed something obvious? Any help will be deeply >>> appreciated and will help spare what little hair I haven't torn off >>> my >>> scalp yet!! Thanks! >>> -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
