[Snort-users] Basic snort setup for processing pcap produces no alerts

James Lay jlay at ...13475...
Wed Mar 26 07:18:24 EDT 2014


On Wed, 2014-03-26 at 11:35 +0100, Egon Kidmose wrote:
> Hi all, 
> 
> 
> I am working with snort for the first time, trying to feed in a pcap
> with known bad traffic and hoping to get out a list of alerts.
> 
> I use snortrules-snapshot-2960.tar.gz from
> http://snort.org/snort-rules/ without pulledpork as I don't need to
> get updates. 
> 
> 
> My pcap contains a trace from a controlled environment where I have
> infected and remote controlled a machine with the fairly old irc bot
> sdbot, so I expect some reaction from snort, however I get none. 
> 
> 
> 
> My thought is that the absence of alerts follows from one of the
> following:
> 
> 
> a) incorrect configuration
> 
> 
> b) my trace not being "bad enough" for snort to pick it up
> 
> 
> c) or something else...
> 
> 
> 
> Is there anyone out there who can help me to fix the configuration,
> point me to some reference trace that certainly triggers an alert or
> simply provide possibly useful hints/suggestions/insights?
> 
> Anything would be greatly appreciated!
> 
> 
> 
> 
> 
> 
> # command used: 
>  ~/git-reps/.../sdbot05b-2014-03-25-1020 $ snort
> -c ../rules/snortrules-snapshot-2960/etc/snort.conf -r sdbot05b.pcap
> 
> # output from running snort
> http://kom.aau.dk/~ekidmose/snort-example/output.txt 
> 
> # snort version:
> 
>  ~/git-reps/.../sdbot05b-2014-03-25-1020 $ snort -V
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.6.0 GRE (Build 47) 
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.3.0
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.7
> 
> # My pcap and the rules with my modifications
> 
> http://kom.aau.dk/~ekidmose/snort-example.tar.gz
> http://kom.aau.dk/~ekidmose/snort-example/
> 
> 
> 
> 
> 
> Mvh/BR
> Egon Kidmose
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


This might be a checksum issue..try adding "-k none" to your command
line.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140326/62411fa7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140326/62411fa7/attachment.sig>


More information about the Snort-users mailing list