[Snort-users] Reading a TCPdump file

sekure sekure at ...11827...
Fri Oct 22 06:24:13 EDT 2004


Mark,

Are you HOME_NET and EXTERNAL_NET variables defined correctly?

Also, i am not exactly sure if the tcpdump contains a complete
session, or just the alerts, but if it does NOT contain the entire
session, Snort won't even look at it, unless you remove the "-z" from
the commandline (which looks like you did), and remove the "flow"
keyword from the rules.


On Thu, 21 Oct 2004 15:15:36 +0100, Mark Johnston
<mark.johnston at ...12582...> wrote:
> I'm looking at one of the honeynet scan of the month projects (#27). And
> what I'm trying to do is get snort to read the TCPdump capture file and view
> the alerts. Thus far I have configured the conf file to have the appropriate
> values and run snort against the file, however I'm not getting any generated
> alerts. I know that I should be getting some though. I also have the latest
> version of the rules and am running snort 2.2 for Fedora Core 2. The command
> that I am using is "snort -A full -c /etc/snort/snort.conf -r sotm27"




More information about the Snort-users mailing list