[Snort-users] Generating alert when reading tcpdump file

Erek Adams erek at ...577...
Wed Jul 3 14:46:02 EDT 2002


On Wed, 3 Jul 2002, Andrew R. Baker wrote:

> tang xun wrote:
> > Hi All,
> >      I got some tcpdump data from various network to
> > analyze. I am able to start snort to read those
> > tcpdump files with the following command and gererate
> > logs.
> >
> > snort -A full -v -d -h home_net -l /var/log/snort -r
> > tcpdump_file.
>
>
> You are missing a "-c snort.conf" in the above line.  You need to use
> this if you want Snort to run with any rules enabled.
>
> >     But the "-A full" didn't work. I only got an empty
> > alert file although I can see attacks in the tcpdump
> > file.
> >
> >     The question is whether snort can generate alerts
> > when reading tcpdump files(in playback mode)?
>
> Yes, but you have to load some rules for it to use to detect the alerts.

One thing to also keep in mind:  The default snaplen for tcpdump is 64.  The
default snaplen for snort is 1514.  So tcpdump might 'see' the attack but if
the data that the rules are matching is > 64 into the packet, it won't fire.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list