[Snort-users] Doubt about snort.org

Alberto Gonzalez ag-snort at ...7149...
Tue Oct 22 07:16:04 EDT 2002


Javier Verdu Mula wrote:

>Hi folks
>
>Some people told me that there are input data of snort (i.e. TCP traffic
>trace) in www.snort.org, but I can not find them. Do these traces
>actually 
>exist? Where can I find them?
>
I know they had some packet traces on the website, so I did some 
searching, and at http://www.snort.org/dl/contrib/other_stuff/
there is "sans_handson.tgz" ... If you download that, it has some 
"exercises" with packet dumps (you can run them through snort)
What your want to do is something similar to the following:

/usr/local/bin/snort -d -c /path/to/snort.conf -l ./log -h x.x.x.x/24 -r 
<dump file>

Once this is done, your data will be sitting in ./log directory.  Or you 
can run them through tcpdump. (There is also some TCPDUMP
traces)

>A second question is about..if I have these trace, what is the snort
>behaivor
>when it finds a TCP started dialog? I mean, when snort start to run and 
>detects (i.e. a started TCP initialitation dialog), may snort confuse
>and 
>understand a possible attack meanwhile the packets are undangerous?
>
>  
>
Again, almost all ID systems have some false positives, the only way to 
FULLY understand them is to investigate them...
You should play/configure snort to your liking(and your networks). After 
that, im positive you will start to LOVE snort.

Hope it Helps

    - Albert

-- 
The secret to success is to start from scratch and keep on scratching.






More information about the Snort-users mailing list