Snort mailing list archives
Re: how to create testing data files??
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 14 Aug 2010 19:44:29 -0400
On 8/14/2010 16:31, Rob MacGregor wrote:
On Sat, Aug 14, 2010 at 20:35, waldo kitty<wkitty42 () windstream net> wrote:how can we create data files and test rules without having to create pcaps? i've tried creating a file with some test strings in it and feeding it to snort via the various pcap reading methods but snort always whines "bad dump file format" and quits... the snort 2.8.6.1 manual specifically states, in section 1.7.2 at the bottom of page 16... [quote] Note that Snort will not try to determine whether the files under that directory are really pcap files or not. [/quote] that indicates that we can create a "text" file and feed it to snort... what am i missing??Try rule2alert (https://code.google.com/p/rule2alert/), which will generate a pcap file for the rule you provide.
well, i've been playing and have run into a "problem" with rule2alert... that problem being that it generates the /minimal/ data package that will cause the rule to alert... what i'm actually needing is something that will generate the "maximal" data package... consider this rule... alert tcp any any -> any any (msg:"distance with testing"; content:"ABC"; content:"EFG"; distance:1; within:10; sid:60000001; rev:1;) and these data strings... ABCxEFG ABCx1234567EFG ABCx12345678EFG ABCx123456789EFG ABCx1234567890EFG which is the first one that will NOT alert? the data package that rule2alert is creating for the above rule is (effectively) the first string but there's a question (on another list) concerning if within takes into account the distance or not... also, there's a question in the above of if the within content must /all/ reside within or if it must only /start/ within... does that make sense? ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to create testing data files?? waldo kitty (Aug 14)
- Re: how to create testing data files?? Rob MacGregor (Aug 14)
- Re: how to create testing data files?? waldo kitty (Aug 14)
- Re: how to create testing data files?? waldo kitty (Aug 14)
- Re: how to create testing data files?? Joel Esler (Aug 14)
- Re: how to create testing data files?? waldo kitty (Aug 14)
- Re: how to create testing data files?? Joel Esler (Aug 14)
- Re: how to create testing data files?? waldo kitty (Aug 14)
- Re: how to create testing data files?? Joel Esler (Aug 15)
- Re: how to create testing data files?? waldo kitty (Aug 17)
- Re: how to create testing data files?? Rob MacGregor (Aug 14)
- Re: how to create testing data files?? waldo kitty (Aug 14)
- Re: how to create testing data files?? waldo kitty (Aug 17)
- Re: how to create testing data files?? Russ Combs (Aug 20)