[Fwd: Re: [Snort-users] Re: I don't get any alerts when reading from file.]

dimopoulos at ...12202... dimopoulos at ...12202...
Tue Aug 3 02:39:01 EDT 2004


First of all, thanks for your time!
 Now, here is the entire process I use. I have written a small program in
C++ that reads all the .rules files that have a 'content' field and
generates fake IP packets that match those rules. The packets contain
all the necessary header data (IP and TCP/UDP) to match the rule along
with the necessary payload (random but with content that matches that of
the rule). I write these packets in hexdump format and then use the tool
'text2pcap' of Ethereal to convert it from hexdump to tcpdump
format,using teh command line "text2pcap -q -l 12 <source>
<destination>", and after that I take the newly generated file and feed
it to snort. Using the -vd switches I can see that the IP addresses,
ports and payload are ok (i.e. should match) yet I get nothing. And the
fake samples I use are large enough (250000 packets) that at least some
should have triggered.
 I tried running snort like
   snort -c snort.conf -A console -b -r test.txt
 but nothing changed.

PS: I used snort to log some packets off the net and then fed the
snort-generated log file to snort. Those logs DID trigger snort. Could the
problem be with Ethereal? Or am I simply banging my head against a wall?Thanks!

> How did you create the tcpdump file?  What was the command line you
> used with tcpdump?
>
> Can you try running Snort like this:
>
> snort -c snort.conf -A console -b -r test.txt
>
> What makes you think that every packet should be generating an alert?
> Which SID do you expect to be firing?
>
> You might want to start with a simpler test to just detect the specific
>  alert that you're looking for.  You could even write a custom rule for
>  it...
>
>      -Marty
>
>
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Intelligent Security Monitoring
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org







More information about the Snort-users mailing list