Snort mailing list archives
Re: Re: I don't get any alerts when reading from file.
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 2 Aug 2004 23:05:08 -0400
How did you create the tcpdump file? What was the command line you used with tcpdump?
Can you try running Snort like this: snort -c snort.conf -A console -b -r test.txtWhat makes you think that every packet should be generating an alert? Which SID do you expect to be firing?
You might want to start with a simpler test to just detect the specific alert that you're looking for. You could even write a custom rule for it...
-Marty On Aug 2, 2004, at 5:03 AM, dimopoulos () mhl tuc gr wrote:
Still, I should have been able to get alerts for infected UDP files, right? I get absolutely NO alerts! Any other ideas?A lot of the snort signatures require an established connection (TCPhandshake). Look for "flow:established" in the rule. If your pcap fileonly contains the packets with the signatures and not the entire session, snort will not trigger on them. That's just my guess... On Fri, 30 Jul 2004 12:55:29 +0300 (EEST), dimopoulos () mhl tuc gr <dimopoulos () mhl tuc gr> wrote:Hullo. I'm using snort 2.1.3 on Windows 2000 SP4, on a 1.5 GHz Pentium 4processor with 512 MB and have libcap 3.0. For the past days I've beentrying in vain to get snort to read from a file and log the alerts, yet nothing happens. I've editted snort.conf to include all the rule files and set all adresses to 'any'. For a typical execution I use: snort.exe -c snort.conf -r test.txt (test.txt is a random tcp dump file i have created using Ethereal and every packet in the file contains a signature.) I can see that the rules are read successfully from the '.rule' files "2060 Snort rules read... 2060 Option Chains ;inked into 254 Chain Headers"At the results section the "Breakdown by protocol:" is correct but theactions are all 0 (alerts=0,logged=0,passed=0). When I use -vd I can see the header and the data of the packets are all ok (and shouldgenerate alerts). I've tried the various -A switches, no change. After reading both the manual and the FAQ I still haven't found anything. AmI blind and have missed something obvious? Any help will be deeplyappreciated and will help spare what little hair I haven't torn off myscalp yet!! Thanks!
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I don't get any alerts when reading from file. dimopoulos (Jul 30)
- Re: I don't get any alerts when reading from file. sekure (Jul 30)
- <Possible follow-ups>
- Re: I don't get any alerts when reading from file. dimopoulos (Aug 02)
- Re: Re: I don't get any alerts when reading from file. Martin Roesch (Aug 02)
- Re: Re: I don't get any alerts when reading from file. dimopoulos (Aug 03)
- Re: Re: I don't get any alerts when reading from file. Martin Roesch (Aug 02)
- Re: I don't get any alerts when reading from file. dimopoulos (Aug 04)