Re: [Snort-users] Re: I don't get any alerts when reading from file.
This is a discussion on Re: [Snort-users] Re: I don't get any alerts when reading from file. within the Snort forums, part of the System Security and Security Related category; First of all, thanks for your time! Now, here is the entire process I use. I have written a small ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-03-2004
|
|||
|
|||
Re: [Snort-users] Re: I don't get any alerts when reading from file.
First of all, thanks for your time!
Now, here is the entire process I use. I have written a small program in C++ that reads all the .rules files that have a 'content' field and generates fake IP packets that match those rules. The packets contain all the necessary header data (IP and TCP/UDP) to match the rule along with the necessary payload (random but with content that matches that of the rule). I write these packets in hexdump format and then use the tool 'text2pcap' of Ethereal to convert it from hexdump to tcpdump format,using teh command line "text2pcap -q -l 12 <source> <destination>", and after that I take the newly generated file and feed it to snort. Using the -vd switches I can see that the IP addresses, ports and payload are ok (i.e. should match) yet I get nothing. And the fake samples I use are large enough (250000 packets) that at least some should have triggered. > How did you create the tcpdump file? What was the command line you > used with tcpdump? > > Can you try running Snort like this: > > snort -c snort.conf -A console -b -r test.txt > > What makes you think that every packet should be generating an alert? > Which SID do you expect to be firing? > > You might want to start with a simpler test to just detect the specific > alert that you're looking for. You could even write a custom rule for > it... > > -Marty > > > > -- > Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 > Sourcefire: Intelligent Security Monitoring > roesch@sourcefire.com - http://www.sourcefire.com > Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
