[Snort-users] Re: I don't get any alerts when reading from file.

dimopoulos at ...12202... dimopoulos at ...12202...
Tue Aug 3 02:32:03 EDT 2004

First of all, thanks for your time!
 Now, here is the entire process I use. I have written a small program in
 C++ that reads all the .rules files that have a 'content' field and
 generates fake IP packets that match those rules. The packets contain all
 the necessary header data (IP and TCP/UDP) to match the rule along with
 the necessary payload (random but with content that matches that of the
 rule). I write these packets in hexdump format and then use the tool
 'text2pcap' of Ethereal to convert it from hexdump to tcpdump
 format,using teh command line "text2pcap -q -l 12 <source>
 <destination>", and after that I take the newly generated file and feed
 it to snort. Using the -vd switches I can see that the IP addresses,
 ports and payload are ok (i.e. should match) yet I get nothing. And the
 fake samples I use are large enough (250000 packets) that at least some
 should have triggered.

> How did you create the tcpdump file?  What was the command line you
> used with tcpdump?
> Can you try running Snort like this:
> snort -c snort.conf -A console -b -r test.txt
> What makes you think that every packet should be generating an alert?
> Which SID do you expect to be firing?
> You might want to start with a simpler test to just detect the specific
>  alert that you're looking for.  You could even write a custom rule for
>  it...
>      -Marty
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Intelligent Security Monitoring
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list