Snort mailing list archives
Re: How to achieve alerts from tcpdump files?
From: Nigel Houghton <nigel () sourcefire com>
Date: Tue, 30 Mar 2004 09:24:01 -0600
Date: Mon, 29 Mar 2004 21:04:12 -0500 (EST) From: jwang () fit edu To: snort-users () lists sourceforge net Subject: [Snort-users] How to achieve alerts from tcpdump files? hi everyone: my issues: 1) I have managed to create alerts from my tcpdump file with the following command: ../snort -s -r file.tcpdump -c snort.conf but since i have got thousands of tcpdump files, all the alerts were outputed to the /sys/log/snort/alert file, and it's really hard to recongize which alert is from which tcpdump file?! Can someone tell me if there is any way i can be able to set a path to each output of the alerts from every tcpdump file??
snort -s -r file.tcpdump -c snort.conf -l /path/to/log/ Also, you might not want to use your standard snort.conf for tasks like this.
2) I have got a tcpdump file from a system that is about a year old, and after applied the lastest rule set (downloaded from snort.org), it didn't detect any alert from it? but my instructor said he is 100% sure there is at least one alert from that file. I was wondering, how will i be able to find it then???
Try using some rules from deleted.rules, it may be that the rule concerning the traffic in the dump file has been retired for one reason or another. You should also make sure the dump file is valid and has valid session data in it.
3) After we have found the alerts, What is the command/method to fix the bug in the tcpdump file? so, that the alerts will not appear second time we snort it?
I am not sure what you are asking here. If a dump file contains data that should be alerted on, why would you want to prevent snort from alerting? The tcpdump file is data that has been collected from network traffic and written to a file, there are tools to edit packet captures, fix the checksums after editing etc., but I'm sure this is not what you mean. If you are looking to only generate one event instead of one hundred from a single file, then you need to check out thresholding in the handbook.
thank you very much!! Jun WANG Florida Tech 29th, March 2004
------------------------------------------------------------- Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team In an emergency situation involving two or more officers of equal rank, seniority will be granted to whichever officer can program a vcr. ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to achieve alerts from tcpdump files? jwang (Mar 29)
- <Possible follow-ups>
- Re: How to achieve alerts from tcpdump files? Nigel Houghton (Mar 30)