[Snort-users] Replaying pcaps through Snort

Y M snort at ...15979...
Sat Apr 6 12:58:04 EDT 2013


Yes. The real pcap, for example, had src as 192.168.1.10 and dst as 192.168.1.15The test pcap, for example, had scr as 192.168.2.133 and dst as 192.168.1.134  In both cases, the capture being replayed is from the source machine, and the rule direction was $HOME_NET -> $EXTERNAL_NET. In the real environment, this generated an alert and dropped the traffic. However, in the test environment, the same set of rules are not working. I had to flip the direction to $EXTERNAL_NET -> $HOME_NET, inluding src and dst ports. > Date: Sat, 6 Apr 2013 11:42:21 -0500
> From: wkitty42 at ...14940...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Replaying pcaps through Snort
> 
> On 4/6/2013 11:37, Y M wrote:
> > They are defined the same on both real and testing(VMs) boxes:
> >
> > $HOME_NET any
> > $EXTERNAL_NET any
> 
> and the pcap is made from the correct side of the connection? the same side that 
> snort is sniffing?
> 
> 
> > Thanks.
> > YM
> >
> >  > Date: Sat, 6 Apr 2013 11:27:19 -0500
> >  > From: wkitty42 at ...14940...
> >  > To: snort-users at lists.sourceforge.net
> >  > Subject: Re: [Snort-users] Replaying pcaps through Snort
> >  >
> >  > On 4/6/2013 10:41, Y M wrote:
> >  > > Nothing, just -c for the conf file.
> >  > >
> >  > > I'm writing some rules, which worked fine on a real environment. But when
> >  > > running on a test environment, replicating the same real scenario, its getting
> >  > > backwards.
> >  >
> >  > do you have $HOME_NET and $EXTERNAL_NET defined properly/same in the test
> >  > environment as in the live environment?
> >  >
> >  > > So I thought im looking at the wrong direction; tagging on the responses, not
> >  > > the requests, but the responses do not contain the content im matching on.
> >  > >
> >  > > By the way, im planning to submit the rules to the VRT once I finish testing.
> >  > >
> >  > > Thanks.
> >  > > YM
> >  > >
> > --------------------------------------------------------------------------------
> >  > > From: Joel Esler <mailto:jesler at ...1935...>
> >  > > Sent: ‎4/‎6/‎2013 6:33 PM
> >  > > To: Y M <mailto:snort at ...15979...>
> >  > > Cc: snort <mailto:snort-users at lists.sourceforge.net>
> >  > > Subject: Re: [Snort-users] Replaying pcaps through Snort
> >  > >
> >  > > Nope. -r is the correct command. Hat other commands are you issuing Snort?
> >  > >
> >  > > --
> >  > > *Joel Esler*
> >  > > Sent from my iPhone 
> >  > >
> >  > > On Apr 6, 2013, at 8:43 AM, Y M <snort at ...15979... <mailto:snort at ...15979...>>
> >  > > wrote:
> >  > >
> >  > >> I have a pcap generated from some testing, and lets assume that the source ip
> >  > >> is 192.168.1.10:5432 and destination ip is 192.168.1.15:445, which conforms to
> >  > >> the test scenario I was working with and as captured by wireshark.
> >  > >>
> >  > >> However, replaying the pcap file through Snort (-r), Snort is reporting source
> >  > >> and destination ip addresses backwards, i.e.: source ip is 192.168.1.15:445
> >  > >> and the destination ip 192.168.1.10:5432.
> >  > >>
> >  > >> What am i missing? Is there an extra argument i must input?
> 
> 
> 
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire 
> the most talented Cisco Certified professionals. Visit the 
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130406/e47df607/attachment.html>


More information about the Snort-users mailing list