[Snort-users] how to create testing data files??

Russ Combs rcombs at ...1935...
Fri Aug 20 09:22:37 EDT 2010


On Tue, Aug 17, 2010 at 2:57 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 8/16/2010 10:30, Ryan Jordan wrote:
> >> [quote] Note that Snort will not try to determine whether the files
> under that
> >> directory are really pcap files or not. [/quote]
> >
> > This means that your directory better have pcap files in it, because
> > Snort's going to try and load them as pcaps! :)  Perhaps this is
> > something we can make a little more clear.
>
> i would say so because i read it that snort wouldn't care in this case if
> they
> are pcaps or plain text/binary files... i mean, heck, "i" just want to
> create a
> file of "aaaaABCxEFGaaaa" and feed it to snort to see if that rule fires
> based
> on that string ;)
>
> > When I'm testing rules or things I've developed, I typically use Scapy
> > to craft pcaps. At one point, I used the following setup for more
> > rapid (but less repeatable!) testing:
> >
> > Get 2 hosts. I used my workstation and a VM. On one end, named
> > "foobar", run netcat in listen mode:
> > [ryan at ...14967...]$ nc -l -p 5555
> >
> > On the other end, connect with netcat:
> > [ryan at ...14968...]$ nc foobar 5555
> >
> > On the client's end, I ran Snort with my rules to test. I used a BPF
> > to get only this traffic:
> > [ryan at ...14968...]$ snort -c testing.conf -i eth0 -F my_bpf.txt -A cmg -k
> none
> >
> > The contents of my BPF:
> > [ryan at ...14968...]$ cat my_bpf.txt
> > host foobar and port 5555
> >
> > Finally, I can just type stuff into my netcat window and watch the
> > alerts pop up in my Snort window.
> >
> > I found this to be useful when I was debugging some pattern matcher
> > weirdness in the Sensitive Data preprocessor. This approach is less
> > useful if you want to save your tests and script them up to be run
> > later -- pcaps are great for this.
> >
> > You'll also run into trouble if you want to test a more complex
> > protocol than raw text over TCP, but we'll save that for another day.
> > :)
>
> thanks for that... i'm sure it will be helpful to some... sadly, though, it
> made
> my eyes cross and i had to use sandpaper on them to be able to write this
> :?
> getting old too soon and too fast :(
>

You might try this: http://sourceforge.net/projects/abcip/.

Using a file like this, say test.abc:

# define the encapsulations
d ( stack="eth:ip4:udp" )

# generate packets with given payloads
a ( pay="ABCEFG" )
a ( pay="ABCxEFG" )
a ( pay="ABCx123456EFG" )
a ( pay="ABCx1234567EFG" )
a ( pay="ABCx12345678EFG" )
a ( pay="ABCx123456789EFG" )
a ( pay="ABCxx123456EFG" )
a ( pay="ABCxx1234567EFG" )
a ( pay="ABCxx12345678EFG" )
a ( pay="ABCxx123456789EFG" )

Which will produce a pcap with this command:

abcip --pcap test.pcap < test.abc

Russ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100820/cc900ad1/attachment.html>


More information about the Snort-users mailing list