[Snort-users] Reading a TCPdump file

sekure sekure at ...11827...
Fri Oct 22 06:49:22 EDT 2004


Try defining HOME_NET and EXTERNAL_NET as any and see what happens.

Also try disabling the stream4 preprocessor.


On Fri, 22 Oct 2004 14:35:13 +0100, Mark Johnston
<mark.johnston at ...12582...> wrote:
> Hi there,
> 
> Thanks for the reply ...
> 
> HOME_NET is defined as the IP of the address of the host e.g 10.10.10.5/32 and EXTERNAL_NET is defined as !HOME_NET. The file is the entire capture of all sessions to that box (it was inline). I didn't use the -z option in the command line.
> 
> Thanks
> Mark
> 
> 
> 
> -----Original Message-----
> From: sekure [mailto:sekure at ...11827...]
> Sent: 22 October 2004 14:20
> To: Mark Johnston
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Reading a TCPdump file
> 
> Mark,
> 
> Are you HOME_NET and EXTERNAL_NET variables defined correctly?
> 
> Also, i am not exactly sure if the tcpdump contains a complete
> session, or just the alerts, but if it does NOT contain the entire
> session, Snort won't even look at it, unless you remove the "-z" from
> the commandline (which looks like you did), and remove the "flow"
> keyword from the rules.
> 
> On Thu, 21 Oct 2004 15:15:36 +0100, Mark Johnston
> <mark.johnston at ...12582...> wrote:
> > I'm looking at one of the honeynet scan of the month projects (#27). And
> > what I'm trying to do is get snort to read the TCPdump capture file and view
> > the alerts. Thus far I have configured the conf file to have the appropriate
> > values and run snort against the file, however I'm not getting any generated
> > alerts. I know that I should be getting some though. I also have the latest
> > version of the rules and am running snort 2.2 for Fedora Core 2. The command
> > that I am using is "snort -A full -c /etc/snort/snort.conf -r sotm27"
> 
> 
> **********************************************************************
> 
> 
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. It may not be used or disclosed except for the
> purpose for which it has been sent. If you have received this
> e-mail in error please notify the system administrator
> postmaster at ...12582... quoting the senders address. If you are not the
> intended recipient you must not use, disclose, distribute, copy,
> print or rely on this e-mail and must delete the message and any
> documents. Please advise immediately if you or your employer
> do not consent to Internet e-mail for messages of this kind.
> Unless expressly stated, opinions in this message are those of
> the individual sender and not of Blue Square. Blue Square
> accepts no liability or responsibility for any onward transmission
> or use of e-mails and attachment having left the Blue Square domain.
> 
> This footnote also confirms that this e-mail message has been swept
> by MIMEsweeper for the presence of computer viruses. Whilst we
> have taken reasonable precautions to ensure that this e-mail and
> any attachments have been swept for viruses, we cannot accept
> liability for any damage sustained as a result of software viruses and
> would advise that you carry out your own virus checks before
> opening any attachment.
> 
> www.bluesq.com
> **********************************************************************
> 
>




More information about the Snort-users mailing list