[Snort-users] Re: I don't get any alerts when reading from file.

Martin Roesch roesch at ...1935...
Mon Aug 2 20:06:04 EDT 2004

How did you create the tcpdump file?  What was the command line you 
used with tcpdump?

Can you try running Snort like this:

snort -c snort.conf -A console -b -r test.txt

What makes you think that every packet should be generating an alert?  
Which SID do you expect to be firing?

You might want to start with a simpler test to just detect the specific 
alert that you're looking for.  You could even write a custom rule for 


On Aug 2, 2004, at 5:03 AM, dimopoulos at ...12202... wrote:

> Still, I should have been able to get alerts for infected UDP files,
> right? I get absolutely NO alerts! Any other ideas?
>> A lot of the snort signatures require an established connection (TCP
>> handshake).  Look for "flow:established" in the rule. If your pcap 
>> file
>> only contains the packets with the signatures and not the entire
>> session, snort will not trigger on them.
>> That's just my guess...
>> On Fri, 30 Jul 2004 12:55:29 +0300 (EEST), dimopoulos at ...12202...
>> <dimopoulos at ...12202...> wrote:
>>> Hullo.
>>> I'm using snort 2.1.3 on Windows 2000 SP4, on a 1.5 GHz Pentium 4
>>> processor with 512 MB and have libcap 3.0. For the past days I've 
>>> been
>>> trying in vain to get snort to read from a file and log the alerts,
>>> yet nothing happens. I've editted snort.conf to include all the rule
>>> files and set all adresses to 'any'. For a typical execution I use:
>>> snort.exe -c snort.conf -r test.txt (test.txt is a random tcp dump
>>> file i have created using Ethereal and every packet in the file
>>> contains a signature.) I can see that the rules are read successfully
>>> from the '.rule' files "2060 Snort rules read...
>>> 2060 Option Chains ;inked into 254 Chain Headers"
>>> At the results section the "Breakdown by protocol:" is correct but 
>>> the
>>> actions are all 0 (alerts=0,logged=0,passed=0). When I use -vd I can
>>> see the header and the data of the packets are all ok (and should
>>> generate alerts). I've tried the various -A switches, no change. 
>>> After
>>> reading both the manual and the FAQ I still haven't found anything. 
>>> Am
>>> I blind and have missed something obvious? Any help will be deeply
>>> appreciated and will help spare what little hair I haven't torn off 
>>> my
>>> scalp yet!! Thanks!

Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list