Re: [Fwd: Re: [Snort-users] Re: I don't get any alerts when reading from file.]
This is a discussion on Re: [Fwd: Re: [Snort-users] Re: I don't get any alerts when reading from file.] within the Snort forums, part of the System Security and Security Related category; Are these packets you're creating all TCP based? If so, you can't just generate TCP packets that match ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-03-2004
|
|||
|
|||
Re: [Fwd: Re: [Snort-users] Re: I don't get any alerts when reading from file.]
Are these packets you're creating all TCP based? If so, you can't just
generate TCP packets that match Snort rules and expect it to fire, Snort's engine is stateful and won't just alert on random TCP packets, it needs to see a full TCP three-way-handshake to put the stream trackers into the ESTABLISHED state. That's what those "flow: established" keywords are for in the rules. This functionality was written into Snort to defeat snot/stick/sneeze type applications (such as the one you're writing) back in the 1.8.x days... -Marty On Aug 3, 2004, at 5:34 AM, dimopoulos@mhl.tuc.gr wrote: > First of all, thanks for your time! > Now, here is the entire process I use. I have written a small program > in > C++ that reads all the .rules files that have a 'content' field and > generates fake IP packets that match those rules. The packets contain > all the necessary header data (IP and TCP/UDP) to match the rule along > with the necessary payload (random but with content that matches that > of > the rule). I write these packets in hexdump format and then use the > tool > 'text2pcap' of Ethereal to convert it from hexdump to tcpdump > format,using teh command line "text2pcap -q -l 12 <source> > <destination>", and after that I take the newly generated file and feed > it to snort. Using the -vd switches I can see that the IP addresses, > ports and payload are ok (i.e. should match) yet I get nothing. And the > fake samples I use are large enough (250000 packets) that at least some > should have triggered. > I tried running snort like > snort -c snort.conf -A console -b -r test.txt > but nothing changed. > > PS: I used snort to log some packets off the net and then fed the > snort-generated log file to snort. Those logs DID trigger snort. Could > the > problem be with Ethereal? Or am I simply banging my head against a > wall?Thanks! > >> How did you create the tcpdump file? What was the command line you >> used with tcpdump? >> >> Can you try running Snort like this: >> >> snort -c snort.conf -A console -b -r test.txt >> >> What makes you think that every packet should be generating an alert? >> Which SID do you expect to be firing? >> >> You might want to start with a simpler test to just detect the >> specific >> alert that you're looking for. You could even write a custom rule >> for >> it... >> >> -Marty >> >> >> >> -- >> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 >> Sourcefire: Intelligent Security Monitoring >> roesch@sourcefire.com - http://www.sourcefire.com >> Snort: Open Source Network IDS - http://www.snort.org > > > > -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
