[Fwd: Re: [Snort-users] Re: I don't get any alerts when reading from file.]

Martin Roesch roesch at ...1935...
Tue Aug 3 11:31:12 EDT 2004


Are these packets you're creating all TCP based?  If so, you can't just 
generate TCP packets that match Snort rules and expect it to fire, 
Snort's engine is stateful and won't just alert on random TCP packets, 
it needs to see a full TCP three-way-handshake to put the stream 
trackers into the ESTABLISHED state.  That's what those "flow: 
established" keywords are for in the rules.  This functionality was 
written into Snort to defeat snot/stick/sneeze type applications (such 
as the one you're writing) back in the 1.8.x days...

      -Marty


On Aug 3, 2004, at 5:34 AM, dimopoulos at ...12202... wrote:

> First of all, thanks for your time!
>  Now, here is the entire process I use. I have written a small program 
> in
> C++ that reads all the .rules files that have a 'content' field and
> generates fake IP packets that match those rules. The packets contain
> all the necessary header data (IP and TCP/UDP) to match the rule along
> with the necessary payload (random but with content that matches that 
> of
> the rule). I write these packets in hexdump format and then use the 
> tool
> 'text2pcap' of Ethereal to convert it from hexdump to tcpdump
> format,using teh command line "text2pcap -q -l 12 <source>
> <destination>", and after that I take the newly generated file and feed
> it to snort. Using the -vd switches I can see that the IP addresses,
> ports and payload are ok (i.e. should match) yet I get nothing. And the
> fake samples I use are large enough (250000 packets) that at least some
> should have triggered.
>  I tried running snort like
>    snort -c snort.conf -A console -b -r test.txt
>  but nothing changed.
>
> PS: I used snort to log some packets off the net and then fed the
> snort-generated log file to snort. Those logs DID trigger snort. Could 
> the
> problem be with Ethereal? Or am I simply banging my head against a 
> wall?Thanks!
>
>> How did you create the tcpdump file?  What was the command line you
>> used with tcpdump?
>>
>> Can you try running Snort like this:
>>
>> snort -c snort.conf -A console -b -r test.txt
>>
>> What makes you think that every packet should be generating an alert?
>> Which SID do you expect to be firing?
>>
>> You might want to start with a simpler test to just detect the 
>> specific
>>  alert that you're looking for.  You could even write a custom rule 
>> for
>>  it...
>>
>>      -Marty
>>
>>
>>
>> --
>> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
>> Sourcefire: Intelligent Security Monitoring
>> roesch at ...1935... - http://www.sourcefire.com
>> Snort: Open Source Network IDS - http://www.snort.org
>
>
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list