[Snort-users] Replaying pcaps through Snort

waldo kitty wkitty42 at ...14940...
Sat Apr 6 12:42:21 EDT 2013


On 4/6/2013 11:37, Y M wrote:
> They are defined the same on both real and testing(VMs) boxes:
>
> $HOME_NET any
> $EXTERNAL_NET any

and the pcap is made from the correct side of the connection? the same side that 
snort is sniffing?


> Thanks.
> YM
>
>  > Date: Sat, 6 Apr 2013 11:27:19 -0500
>  > From: wkitty42 at ...14940...
>  > To: snort-users at lists.sourceforge.net
>  > Subject: Re: [Snort-users] Replaying pcaps through Snort
>  >
>  > On 4/6/2013 10:41, Y M wrote:
>  > > Nothing, just -c for the conf file.
>  > >
>  > > I'm writing some rules, which worked fine on a real environment. But when
>  > > running on a test environment, replicating the same real scenario, its getting
>  > > backwards.
>  >
>  > do you have $HOME_NET and $EXTERNAL_NET defined properly/same in the test
>  > environment as in the live environment?
>  >
>  > > So I thought im looking at the wrong direction; tagging on the responses, not
>  > > the requests, but the responses do not contain the content im matching on.
>  > >
>  > > By the way, im planning to submit the rules to the VRT once I finish testing.
>  > >
>  > > Thanks.
>  > > YM
>  > >
> --------------------------------------------------------------------------------
>  > > From: Joel Esler <mailto:jesler at ...1935...>
>  > > Sent: ‎4/‎6/‎2013 6:33 PM
>  > > To: Y M <mailto:snort at ...15979...>
>  > > Cc: snort <mailto:snort-users at lists.sourceforge.net>
>  > > Subject: Re: [Snort-users] Replaying pcaps through Snort
>  > >
>  > > Nope. -r is the correct command. Hat other commands are you issuing Snort?
>  > >
>  > > --
>  > > *Joel Esler*
>  > > Sent from my iPhone 
>  > >
>  > > On Apr 6, 2013, at 8:43 AM, Y M <snort at ...15979... <mailto:snort at ...15979...>>
>  > > wrote:
>  > >
>  > >> I have a pcap generated from some testing, and lets assume that the source ip
>  > >> is 192.168.1.10:5432 and destination ip is 192.168.1.15:445, which conforms to
>  > >> the test scenario I was working with and as captured by wireshark.
>  > >>
>  > >> However, replaying the pcap file through Snort (-r), Snort is reporting source
>  > >> and destination ip addresses backwards, i.e.: source ip is 192.168.1.15:445
>  > >> and the destination ip 192.168.1.10:5432.
>  > >>
>  > >> What am i missing? Is there an extra argument i must input?






More information about the Snort-users mailing list