[Snort-users] tcpdump file analysis

Oguz Yarimtepe comp.ogz at ...11827...
Sun May 3 13:06:20 EDT 2009


On Sun, 2009-05-03 at 04:32 -0400, Joel Esler wrote:
> Yes,  If you run Snort as you would any other time in IPS mode "-c",
> and
> simply use the output plugins you have defined in your snort.conf,
> when
> you run Snort with the -r option, it will log the alerts generated
> from

I ran it in this way:

snort -c /etc/snort/snort.conf -de -r attack-test.pcap 

But it seems it doesn't process the file because i dont't see any attack
info at the base web interface. 

attack-test.pcap is produced by 

nmap -P0 -sS -p 135,139,445,80,21,20,22 -e lo  192.168.2.4

and

snort -c /etc/snort/snort.conf -de -r attack-test.pcap

....

Here is the command output:
328 out of 512 flowbits in use.
TCPDUMP file reading mode.
Reading network traffic from "attack-test.pcap" file.
snaplen = 65535
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = unknown:[reading from a file]
database:     sensor id = 8
database: schema version = 107
database: using the "log" facility
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = unknown:[reading from a file]
database:     sensor id = 8
database: schema version = 107
database: using the "log" facility
 
(It waits here without
processing)                                             

So i may be doing some missconfgiuration. 

I am using the pre-compiled snort-mysql deb file from ubuntu hardy 8.0
repo. 


-- 
Oguz Yarimtepe
http://www.loopbacking.info





More information about the Snort-users mailing list