[Snort-users] Re: I don't get any alerts when reading from file.

dimopoulos at ...12202... dimopoulos at ...12202...
Mon Aug 2 02:08:00 EDT 2004


Still, I should have been able to get alerts for infected UDP files,
right? I get absolutely NO alerts! Any other ideas?

> A lot of the snort signatures require an established connection (TCP
> handshake).  Look for "flow:established" in the rule. If your pcap file
> only contains the packets with the signatures and not the entire
> session, snort will not trigger on them.
>
> That's just my guess...
>
> On Fri, 30 Jul 2004 12:55:29 +0300 (EEST), dimopoulos at ...12202...
> <dimopoulos at ...12202...> wrote:
>> Hullo.
>> I'm using snort 2.1.3 on Windows 2000 SP4, on a 1.5 GHz Pentium 4
>> processor with 512 MB and have libcap 3.0. For the past days I've been
>> trying in vain to get snort to read from a file and log the alerts,
>> yet nothing happens. I've editted snort.conf to include all the rule
>> files and set all adresses to 'any'. For a typical execution I use:
>> snort.exe -c snort.conf -r test.txt (test.txt is a random tcp dump
>> file i have created using Ethereal and every packet in the file
>> contains a signature.) I can see that the rules are read successfully
>> from the '.rule' files "2060 Snort rules read...
>> 2060 Option Chains ;inked into 254 Chain Headers"
>> At the results section the "Breakdown by protocol:" is correct but the
>> actions are all 0 (alerts=0,logged=0,passed=0). When I use -vd I can
>> see the header and the data of the packets are all ok (and should
>> generate alerts). I've tried the various -A switches, no change. After
>> reading both the manual and the FAQ I still haven't found anything. Am
>> I blind and have missed something obvious? Any help will be deeply
>> appreciated and will help spare what little hair I haven't torn off my
>> scalp yet!! Thanks!
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by OSTG. Have you noticed the changes
>> on Linux.com, ITManagersJournal and NewsForge in the past few weeks?
>> Now, one more big change to announce. We are now OSTG- Open Source
>> Technology Group. Come see the changes on the new OSTG site.
>> www.ostg.com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source
> Technology Group. Come see the changes on the new OSTG site.
> www.ostg.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list