[Snort-users] Generating alert when reading tcpdump file
erek at ...577...
Wed Jul 3 14:46:02 EDT 2002
On Wed, 3 Jul 2002, Andrew R. Baker wrote:
> tang xun wrote:
> > Hi All,
> > I got some tcpdump data from various network to
> > analyze. I am able to start snort to read those
> > tcpdump files with the following command and gererate
> > logs.
> > snort -A full -v -d -h home_net -l /var/log/snort -r
> > tcpdump_file.
> You are missing a "-c snort.conf" in the above line. You need to use
> this if you want Snort to run with any rules enabled.
> > But the "-A full" didn't work. I only got an empty
> > alert file although I can see attacks in the tcpdump
> > file.
> > The question is whether snort can generate alerts
> > when reading tcpdump files(in playback mode)?
> Yes, but you have to load some rules for it to use to detect the alerts.
One thing to also keep in mind: The default snaplen for tcpdump is 64. The
default snaplen for snort is 1514. So tcpdump might 'see' the attack but if
the data that the rules are matching is > 64 into the packet, it won't fire.
More information about the Snort-users