[Snort-users] how to create testing data files??
wkitty42 at ...14940...
Tue Aug 17 14:57:28 EDT 2010
On 8/16/2010 10:30, Ryan Jordan wrote:
>> [quote] Note that Snort will not try to determine whether the files under that
>> directory are really pcap files or not. [/quote]
> This means that your directory better have pcap files in it, because
> Snort's going to try and load them as pcaps! :) Perhaps this is
> something we can make a little more clear.
i would say so because i read it that snort wouldn't care in this case if they
are pcaps or plain text/binary files... i mean, heck, "i" just want to create a
file of "aaaaABCxEFGaaaa" and feed it to snort to see if that rule fires based
on that string ;)
> When I'm testing rules or things I've developed, I typically use Scapy
> to craft pcaps. At one point, I used the following setup for more
> rapid (but less repeatable!) testing:
> Get 2 hosts. I used my workstation and a VM. On one end, named
> "foobar", run netcat in listen mode:
> [ryan at ...14967...]$ nc -l -p 5555
> On the other end, connect with netcat:
> [ryan at ...14968...]$ nc foobar 5555
> On the client's end, I ran Snort with my rules to test. I used a BPF
> to get only this traffic:
> [ryan at ...14968...]$ snort -c testing.conf -i eth0 -F my_bpf.txt -A cmg -k none
> The contents of my BPF:
> [ryan at ...14968...]$ cat my_bpf.txt
> host foobar and port 5555
> Finally, I can just type stuff into my netcat window and watch the
> alerts pop up in my Snort window.
> I found this to be useful when I was debugging some pattern matcher
> weirdness in the Sensitive Data preprocessor. This approach is less
> useful if you want to save your tests and script them up to be run
> later -- pcaps are great for this.
> You'll also run into trouble if you want to test a more complex
> protocol than raw text over TCP, but we'll save that for another day.
thanks for that... i'm sure it will be helpful to some... sadly, though, it made
my eyes cross and i had to use sandpaper on them to be able to write this :?
getting old too soon and too fast :(
More information about the Snort-users