[Snort-users] Replaying pcaps through Snort

Y M snort at ...15979...
Sat Apr 6 13:58:29 EDT 2013


Thanks for the thorough explanation Waldo. At the moment I'm not using any flow modifiers.

If I run the destination capture against the rules, they just trigger as expected. Which I think points back to what you just suggested.
________________________________
From: waldo kitty<mailto:wkitty42 at ...14940...>
Sent: ‎4/‎6/‎2013 8:49 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Replaying pcaps through Snort

On 4/6/2013 11:58, Y M wrote:
> Yes.
>
> The real pcap, for example, had src as 192.168.1.10 and dst as 192.168.1.15
> The test pcap, for example, had scr as 192.168.2.133 and dst as 192.168.1.134
>
> In both cases, the capture being replayed is from the source machine, and the
> rule direction was $HOME_NET -> $EXTERNAL_NET. In the real environment, this
> generated an alert and dropped the traffic. However, in the test environment,
> the same set of rules are not working. I had to flip the direction to
> $EXTERNAL_NET -> $HOME_NET, inluding src and dst ports.

are you using the "to_server" or "to_client" flow: modifiers?


$EXTERNAL_NET 80 -> $HOME_NET any (flow:to_server;) would be client traffic

$HOME_NET any -> $EXTERNAL_NET 80 (flow:to_server;) would be client traffic

$EXTERNAL_NET 80 -> $HOME_NET any (flow:to_client;) would be server traffic

$HOME_NET any -> $EXTERNAL_NET 80 (flow:to_client;) would be server traffic


you can't just go by the placement of the $HOME_NET or $EXTERNAL_NET and the
direction the '->' is pointing...

flow:established,to_server or flow:established,to_client are pretty common...
sometimes you might find rules using from_client or from_server... established
means, of course, that the 3way handshake for tcp connections was performed...


>  > Date: Sat, 6 Apr 2013 11:42:21 -0500
>  > From: wkitty42 at ...14940...
>  > To: snort-users at lists.sourceforge.net
>  > Subject: Re: [Snort-users] Replaying pcaps through Snort
>  >
>  > On 4/6/2013 11:37, Y M wrote:
>  > > They are defined the same on both real and testing(VMs) boxes:
>  > >
>  > > $HOME_NET any
>  > > $EXTERNAL_NET any
>  >
>  > and the pcap is made from the correct side of the connection? the same side that
>  > snort is sniffing?
>  >
>  >
>  > > Thanks.
>  > > YM
>  > >
>  > > > Date: Sat, 6 Apr 2013 11:27:19 -0500
>  > > > From: wkitty42 at ...14940...
>  > > > To: snort-users at lists.sourceforge.net
>  > > > Subject: Re: [Snort-users] Replaying pcaps through Snort
>  > > >
>  > > > On 4/6/2013 10:41, Y M wrote:
>  > > > > Nothing, just -c for the conf file.
>  > > > >
>  > > > > I'm writing some rules, which worked fine on a real environment. But when
>  > > > > running on a test environment, replicating the same real scenario, its
> getting
>  > > > > backwards.
>  > > >
>  > > > do you have $HOME_NET and $EXTERNAL_NET defined properly/same in the test
>  > > > environment as in the live environment?
>  > > >
>  > > > > So I thought im looking at the wrong direction; tagging on the
> responses, not
>  > > > > the requests, but the responses do not contain the content im matching on.
>  > > > >
>  > > > > By the way, im planning to submit the rules to the VRT once I finish
> testing.
>  > > > >
>  > > > > Thanks.
>  > > > > YM
>  > > > >
>  > >
> --------------------------------------------------------------------------------
>  > > > > From: Joel Esler <mailto:jesler at ...1935...>
>  > > > > Sent: ‎4/‎6/‎2013 6:33 PM
>  > > > > To: Y M <mailto:snort at ...15979...>
>  > > > > Cc: snort <mailto:snort-users at lists.sourceforge.net>
>  > > > > Subject: Re: [Snort-users] Replaying pcaps through Snort
>  > > > >
>  > > > > Nope. -r is the correct command. Hat other commands are you issuing Snort?
>  > > > >
>  > > > > --
>  > > > > *Joel Esler*
>  > > > > Sent from my iPhone 
>  > > > >
>  > > > > On Apr 6, 2013, at 8:43 AM, Y M <snort at ...15979...
> <mailto:snort at ...15979...>>
>  > > > > wrote:
>  > > > >
>  > > > >> I have a pcap generated from some testing, and lets assume that the
> source ip
>  > > > >> is 192.168.1.10:5432 and destination ip is 192.168.1.15:445, which
> conforms to
>  > > > >> the test scenario I was working with and as captured by wireshark.
>  > > > >>
>  > > > >> However, replaying the pcap file through Snort (-r), Snort is
> reporting source
>  > > > >> and destination ip addresses backwards, i.e.: source ip is
> 192.168.1.15:445
>  > > > >> and the destination ip 192.168.1.10:5432.
>  > > > >>
>  > > > >> What am i missing? Is there an extra argument i must input?



------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130406/a7c93338/attachment.html>


More information about the Snort-users mailing list