Snort mailing list archives
(no subject)
From: "Kris" <5brittons () comcast net>
Date: Tue, 30 Mar 2004 13:07:57 -0500
I am a new snort user and am playing around with writing snort rules and generating alerts. I am using some raw data files from http://www.incidents.org/logs/Raw to serve as my test traffic. The command line I am using for this testing is as follows: Snort\detects>snort -r c:\snort\detects\2002.5.30 -b -l c:\snort\log -c c:\sn ort\etc\test.conf -A full Where test.conf contains one rule which is: alert tcp any any -> any any (msg:"TCP traffic";) The command line output from the run are as follows: C:\Snort\detects>snort -r c:\snort\detects\2002.5.30 -b -l c:\snort\log -c c:\snort\etc\test.conf -A full Running in IDS mode Log directory = c:\snort\log TCPDUMP file reading mode. Reading network traffic from "c:\snort\detects\2002.5.30" file. snaplen = 1514 --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file c:\snort\etc\test.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1 Snort rules read... 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]------------------------------- --- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]------------------------------- --- | none +-----------------------[thresholding-local]-------------------------------- --- | none +-----------------------[suppression]--------------------------------------- --- | none ---------------------------------------------------------------------------- --- Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.1-ODBC-MySQL-FlexRESP-WIN32 (Build 24) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.1 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) Run time for packet processing was 0.0 seconds ============================================================================ === Snort processed 138 packets. Breakdown by protocol: Action Stats: TCP: 125 (90.580%) ALERTS: 0 UDP: 13 (9.420%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) ============================================================================ === Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 0 ============================================================================ === Snort exiting Given the rule in test.conf, I was expecting to see 125 alerts generated (as opposed to the 0 noted). I checked the alert.ids file in the /snort/log directory and it indeed has no alerts present. Any help would be appreciated. Thanks, Kris B.
Current thread:
- (no subject) jhally (Jan 26)
- <Possible follow-ups>
- (no subject) tony . williams (Jan 26)
- (no subject) Finney Charles E (Feb 16)
- (no subject) sumit vora (Feb 22)
- Re: (no subject) Keith W. McCammon (Feb 22)
- (no subject) marcio (Feb 23)
- (no subject) Kris (Mar 30)