[Snort-users] Re: I don't get any alerts when reading from file.
roesch at ...1935...
Mon Aug 2 20:06:04 EDT 2004
How did you create the tcpdump file? What was the command line you
used with tcpdump?
Can you try running Snort like this:
snort -c snort.conf -A console -b -r test.txt
What makes you think that every packet should be generating an alert?
Which SID do you expect to be firing?
You might want to start with a simpler test to just detect the specific
alert that you're looking for. You could even write a custom rule for
On Aug 2, 2004, at 5:03 AM, dimopoulos at ...12202... wrote:
> Still, I should have been able to get alerts for infected UDP files,
> right? I get absolutely NO alerts! Any other ideas?
>> A lot of the snort signatures require an established connection (TCP
>> handshake). Look for "flow:established" in the rule. If your pcap
>> only contains the packets with the signatures and not the entire
>> session, snort will not trigger on them.
>> That's just my guess...
>> On Fri, 30 Jul 2004 12:55:29 +0300 (EEST), dimopoulos at ...12202...
>> <dimopoulos at ...12202...> wrote:
>>> I'm using snort 2.1.3 on Windows 2000 SP4, on a 1.5 GHz Pentium 4
>>> processor with 512 MB and have libcap 3.0. For the past days I've
>>> trying in vain to get snort to read from a file and log the alerts,
>>> yet nothing happens. I've editted snort.conf to include all the rule
>>> files and set all adresses to 'any'. For a typical execution I use:
>>> snort.exe -c snort.conf -r test.txt (test.txt is a random tcp dump
>>> file i have created using Ethereal and every packet in the file
>>> contains a signature.) I can see that the rules are read successfully
>>> from the '.rule' files "2060 Snort rules read...
>>> 2060 Option Chains ;inked into 254 Chain Headers"
>>> At the results section the "Breakdown by protocol:" is correct but
>>> actions are all 0 (alerts=0,logged=0,passed=0). When I use -vd I can
>>> see the header and the data of the packets are all ok (and should
>>> generate alerts). I've tried the various -A switches, no change.
>>> reading both the manual and the FAQ I still haven't found anything.
>>> I blind and have missed something obvious? Any help will be deeply
>>> appreciated and will help spare what little hair I haven't torn off
>>> scalp yet!! Thanks!
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users