[Snort-users] reading tcpdump file

Edward Young ey52 at ...2868...
Tue Oct 12 07:30:14 EDT 2004


That worked perfectly.   Thanks.

Edward Young

----- Original Message ----- 
From: "Jeff Dell" <jdell at ...1095...>
To: "'Edward Young'" <ey52 at ...2868...>; 
<snort-users at lists.sourceforge.net>
Sent: Tuesday, October 12, 2004 10:13 AM
Subject: RE: [Snort-users] reading tcpdump file


> You also might want to try adding "-k none" to your command line. This is 
> to
> ignore checksums. If the program that logged this TCPDump file mangled the
> packets, your checksums will fail and snort will ignore them.
>
> Jeff
>
> -----Original Message-----
> From: Edward Young [mailto:ey52 at ...2868...]
> Sent: Tuesday, October 12, 2004 10:08 AM
> To: Jeff Dell; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] reading tcpdump file
>
> Thanks for the suggestions but neither worked.  There were no 
> preprocessors.
>
> I only had that one rule in my conf file.
>
> So am I getting problems because the packets are incomplete?
>
> I tried "alert tcp any any <> any any (content:"get"; nocase;)" on the
> tcpdump file but didn't get any alerts on that file.
>
> I checked the tcpdump file in Ethereal and did find packets with "get" in
> the payload but they were marked as "Short Frame".  Does snort handle 
> these
> "Short Frame" packets differently from complete packets?
>
> Thanks,
>
> Edward Young
>
> ----- Original Message ----- 
> From: "Jeff Dell" <jdell at ...1095...>
> To: "'Edward Young'" <ey52 at ...2868...>;
> <snort-users at lists.sourceforge.net>
> Sent: Monday, October 11, 2004 7:36 PM
> Subject: RE: [Snort-users] reading tcpdump file
>
>
>> We had this same problem on our honeynet and had to start a new snort
>> process that was dedicated to tcpdump. What you are seeing can be caused
>> by
>> a few different reasons... here are a couple:
>>
>> 1. It is not logging the fragmented packets, but the reassembled packet.
>> If
>> you only want to log tcp traffic, you might want to turn off the
>> preprocessors. However this should be fixed in the newer versions of
>> Snort.
>>
>> 2. You might not be capturing both sides of the transmission. I would try
>> this:
>>  alert tcp any any <> any any
>>
>> Cheers,
>>
>> Jeff
>>
>> -----Original Message-----
>> From: snort-users-admin at lists.sourceforge.net
>> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Edward 
>> Young
>> Sent: Monday, October 11, 2004 6:23 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] reading tcpdump file
>>
>> Hi,
>>
>> I am trying to read a tcpdump file into snort.  For some reason, it seems
>> that some of the tcp packets are being ignored for some reason.  The only
>> reason I can think of is because the tcpdump file only captured at most 
>> 96
>> bytes of each frame.
>>
>> The only rule I have in my config file is "alert tcp any any -> any any"
>> and
>>
>> these are the results that I get:
>>
>> Snort processed 37298 packets.
>>
> ============================================================================
>> ===
>> Breakdown by protocol:
>>    TCP: 32827      (88.013%)
>>    UDP: 475        (1.274%)
>>   ICMP: 32         (0.086%)
>>    ARP: 3176       (8.515%)
>>  EAPOL: 0          (0.000%)
>>   IPv6: 4          (0.011%)
>>    IPX: 7          (0.019%)
>>  OTHER: 531        (1.424%)
>> DISCARD: 246        (0.660%)
>>
> ============================================================================
>> ===
>> Action Stats:
>> ALERTS: 32621
>> LOGGED: 32621
>> PASSED: 0
>>
>> Where do those remaining 206 packets go?  They are tcp so why aren't they
>> logged?  I'm thinking that those 206 frames are the frames that are
>> incomplete.
>>
>> Thanks,
>>
>> Edward Young
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
>> Use IT products in your business? Tell us what you think of them. Give us
>> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
>> more
>> http://productguide.itmanagersjournal.com/guidepromo.tmpl
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
>> Use IT products in your business? Tell us what you think of them. Give us
>> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
>> more
>> http://productguide.itmanagersjournal.com/guidepromo.tmpl
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
> 





More information about the Snort-users mailing list