[Snort-users] how to create testing data files??

Ryan Jordan ryan.jordan at ...1935...
Mon Aug 16 10:30:04 EDT 2010

> [quote] Note that Snort will not try to determine whether the files under that
> directory are really pcap files or not. [/quote]

This means that your directory better have pcap files in it, because
Snort's going to try and load them as pcaps! :)  Perhaps this is
something we can make a little more clear.

When I'm testing rules or things I've developed, I typically use Scapy
to craft pcaps. At one point, I used the following setup for more
rapid (but less repeatable!) testing:

Get 2 hosts. I used my workstation and a VM. On one end, named
"foobar", run netcat in listen mode:
[ryan at ...14967...]$ nc -l -p 5555

On the other end, connect with netcat:
[ryan at ...14968...]$ nc foobar 5555

On the client's end, I ran Snort with my rules to test. I used a BPF
to get only this traffic:
[ryan at ...14968...]$ snort -c testing.conf -i eth0 -F my_bpf.txt -A cmg -k none

The contents of my BPF:
[ryan at ...14968...]$ cat my_bpf.txt
host foobar and port 5555

Finally, I can just type stuff into my netcat window and watch the
alerts pop up in my Snort window.

I found this to be useful when I was debugging some pattern matcher
weirdness in the Sensitive Data preprocessor. This approach is less
useful if you want to save your tests and script them up to be run
later -- pcaps are great for this.

You'll also run into trouble if you want to test a more complex
protocol than raw text over TCP, but we'll save that for another day.


On Sat, Aug 14, 2010 at 3:35 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> how can we create data files and test rules without having to create pcaps? i've
> tried creating a file with some test strings in it and feeding it to snort via
> the various pcap reading methods but snort always whines "bad dump file format"
> and quits...
> the snort manual specifically states, in section 1.7.2 at the bottom of
> page 16...
> [quote] Note that Snort will not try to determine whether the files under that
> directory are really pcap files or not. [/quote]
> that indicates that we can create a "text" file and feed it to snort... what am
> i missing??
> i get the following output from snort...
> snort --pcap-file=ptest.txt
> [...]
> TCPDUMP file reading mode.
> Reading network traffic from "/home/user/pcaps/test" file.
> ERROR: Unable to open file "/home/user/pcaps/test" for readback: bad dump file
> format
> Fatal Error, Quitting..
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list