[Snort-users] Replaying pcaps through Snort

waldo kitty wkitty42 at ...14940...
Sat Apr 6 12:27:19 EDT 2013


On 4/6/2013 10:41, Y M wrote:
> Nothing, just -c for the conf file.
>
> I'm writing some rules, which worked fine on a real environment. But when
> running on a test environment, replicating the same real scenario, its getting
> backwards.

do you have $HOME_NET and $EXTERNAL_NET defined properly/same in the test 
environment as in the live environment?

> So I thought im looking at the wrong direction; tagging on the responses, not
> the requests, but the responses do not contain the content im matching on.
>
> By the way, im planning to submit the rules to the VRT once I finish testing.
>
> Thanks.
> YM
> --------------------------------------------------------------------------------
> From: Joel Esler <mailto:jesler at ...1935...>
> Sent: ‎4/‎6/‎2013 6:33 PM
> To: Y M <mailto:snort at ...15979...>
> Cc: snort <mailto:snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Replaying pcaps through Snort
>
> Nope. -r is the correct command. Hat other commands are you issuing Snort?
>
> --
> *Joel Esler*
> Sent from my iPhone 
>
> On Apr 6, 2013, at 8:43 AM, Y M <snort at ...15979... <mailto:snort at ...15979...>>
> wrote:
>
>> I have a pcap generated from some testing, and lets assume that the source ip
>> is 192.168.1.10:5432 and destination ip is 192.168.1.15:445, which conforms to
>> the test scenario I was working with and as captured by wireshark.
>>
>> However, replaying the pcap file through Snort (-r), Snort is reporting source
>> and destination ip addresses backwards, i.e.: source ip is 192.168.1.15:445
>> and the destination ip 192.168.1.10:5432.
>>
>> What am i missing? Is there an extra argument i must input?






More information about the Snort-users mailing list