[Snort-users] Testing snort

Paul Halliday paul.halliday at ...11827...
Thu May 24 08:33:37 EDT 2012


Sounds complicated :)

Couldn't he just feed the pcap directly to snort:

snort -r <file.pcap> ?

On Thu, May 24, 2012 at 9:19 AM, Nick Moore <nmoore at ...1935...> wrote:
> Sandip,
>
> I have only used it in Linux and Mac OSX. I have to confess that I haven't
> used Windows as my primary workstation for over six years and am not
> familiar with current tools for it. The website mentions Cygwin, which if I
> remember correctly creates a Linux-like environment for Windows. So you're
> pretty much back to square one.
>
> If there are other users on the list who are more knowledgable regarding
> Windows and available tcpreplay-like utilities, please chime in.
>
> Regarding installation instructions, installing from source is pretty much
> the same as any package:
>
> tar -zxvf tcpreplay-3.x.x.tar.gz
> cd tcpreplay-3.x.x
> ./configure && make && make install
>
> If you run Debian or Ubuntu, you can use apt-get. Most RPM based distro's
> should have tcpreplay. (blatantly plagiarizing from the website).
>
> To quote Marty Roesch "Learn to use Linux. Like eating your broccoli, it's
> good for you." A really good start would be to download a Snort set up doc
> for Ubuntu or CentOS and follow it through. David Gullet has done a much
> better job than I on keeping up with current releases with his Ubuntu doc.
>
> Happy Snorting!
>
> Nick
>
> On Thu, May 24, 2012 at 6:30 AM, Sandip Bankewar <sbankewar at ...15479...>
> wrote:
>>
>> Hi Nick,
>>
>>
>>
>> I am new to this. Could you please provide me steps for installation or Is
>> there any windows tool?
>>
>>
>>
>>
>>
>> From: Nick Moore [mailto:nmoore at ...1935...]
>> Sent: 24 May 2012 16:44
>> To: Sandip Bankewar
>> Subject: Re: [Snort-users] Testing snort
>>
>>
>>
>> Sandip,
>>
>>
>>
>> Please try tcpreplay.
>>
>>
>>
>> http://tcpreplay.synfin.net/
>>
>>
>>
>> Happy Snorting!
>>
>>
>>
>> Nick
>>
>> On Thu, May 24, 2012 at 5:04 AM, Sandip Bankewar
>> <sbankewar at ...15479...> wrote:
>>
>> Hi All,
>>
>>
>>
>> I want to test snort using large packets.
>>
>> I started wireshark and started to capture traffic. I am planning to save
>> .pcap file and load it into a system running snort.
>>
>> My question is how can I load .pcap or wireshark file to that system?
>>
>> Is there any tool?
>>
>>
>>
>> Is there any other method to test it?
>>
>>
>>
>>
>>
>> Regards,
>>
>> Sandip Bankewar
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>>
>>
>>
>>
>>
>> --
>> Nick Moore, SFCE, CISSP, CISA
>> Sr. Systems Engineer
>> Voice 708-336-9041
>> Email nick.moore at ...1935...
>> IM    nickgmoore (Yahoo)
>>        nickgmoore38 (AIM)
>>
>>     ,,_
>>    o"  )~   Sourcefire - The Creators of Snort
>>     ''''
>>
>> www.sourcefire.com         www.snort.org     www.immunet.com
>
>
>
>
> --
> Nick Moore, SFCE, CISSP, CISA
> Sr. Systems Engineer
> Voice 708-336-9041
> Email nick.moore at ...1935...
> IM    nickgmoore (Yahoo)
>        nickgmoore38 (AIM)
>
>     ,,_
>    o"  )~   Sourcefire - The Creators of Snort
>     ''''
>
> www.sourcefire.com         www.snort.org     www.immunet.com
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Paul Halliday
http://www.squertproject.org/




More information about the Snort-users mailing list