[Snort-users] Doubt about snort.org
ag-snort at ...7149...
Tue Oct 22 07:16:04 EDT 2002
Javier Verdu Mula wrote:
>Some people told me that there are input data of snort (i.e. TCP traffic
>trace) in www.snort.org, but I can not find them. Do these traces
>exist? Where can I find them?
I know they had some packet traces on the website, so I did some
searching, and at http://www.snort.org/dl/contrib/other_stuff/
there is "sans_handson.tgz" ... If you download that, it has some
"exercises" with packet dumps (you can run them through snort)
What your want to do is something similar to the following:
/usr/local/bin/snort -d -c /path/to/snort.conf -l ./log -h x.x.x.x/24 -r
Once this is done, your data will be sitting in ./log directory. Or you
can run them through tcpdump. (There is also some TCPDUMP
>A second question is about..if I have these trace, what is the snort
>when it finds a TCP started dialog? I mean, when snort start to run and
>detects (i.e. a started TCP initialitation dialog), may snort confuse
>understand a possible attack meanwhile the packets are undangerous?
Again, almost all ID systems have some false positives, the only way to
FULLY understand them is to investigate them...
You should play/configure snort to your liking(and your networks). After
that, im positive you will start to LOVE snort.
Hope it Helps
The secret to success is to start from scratch and keep on scratching.
More information about the Snort-users