Snort mailing list archives
Re: Reading a TCPdump file
From: sekure <sekure () gmail com>
Date: Fri, 22 Oct 2004 09:44:28 -0400
Try defining HOME_NET and EXTERNAL_NET as any and see what happens. Also try disabling the stream4 preprocessor. On Fri, 22 Oct 2004 14:35:13 +0100, Mark Johnston <mark.johnston () bluesq com> wrote:
Hi there, Thanks for the reply ... HOME_NET is defined as the IP of the address of the host e.g 10.10.10.5/32 and EXTERNAL_NET is defined as !HOME_NET. The file is the entire capture of all sessions to that box (it was inline). I didn't use the -z option in the command line. Thanks Mark -----Original Message----- From: sekure [mailto:sekure () gmail com] Sent: 22 October 2004 14:20 To: Mark Johnston Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Reading a TCPdump file Mark, Are you HOME_NET and EXTERNAL_NET variables defined correctly? Also, i am not exactly sure if the tcpdump contains a complete session, or just the alerts, but if it does NOT contain the entire session, Snort won't even look at it, unless you remove the "-z" from the commandline (which looks like you did), and remove the "flow" keyword from the rules. On Thu, 21 Oct 2004 15:15:36 +0100, Mark Johnston <mark.johnston () bluesq com> wrote:I'm looking at one of the honeynet scan of the month projects (#27). And what I'm trying to do is get snort to read the TCPdump capture file and view the alerts. Thus far I have configured the conf file to have the appropriate values and run snort against the file, however I'm not getting any generated alerts. I know that I should be getting some though. I also have the latest version of the rules and am running snort 2.2 for Fedora Core 2. The command that I am using is "snort -A full -c /etc/snort/snort.conf -r sotm27"********************************************************************** This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. It may not be used or disclosed except for the purpose for which it has been sent. If you have received this e-mail in error please notify the system administrator postmaster () bluesq com quoting the senders address. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail and must delete the message and any documents. Please advise immediately if you or your employer do not consent to Internet e-mail for messages of this kind. Unless expressly stated, opinions in this message are those of the individual sender and not of Blue Square. Blue Square accepts no liability or responsibility for any onward transmission or use of e-mails and attachment having left the Blue Square domain. This footnote also confirms that this e-mail message has been swept by MIMEsweeper for the presence of computer viruses. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachments have been swept for viruses, we cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment. www.bluesq.com **********************************************************************
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Reading a TCPdump file Mark Johnston (Oct 21)
- Re: Reading a TCPdump file sekure (Oct 22)
- RE: Reading a TCPdump file Jeff Dell (Oct 22)
- <Possible follow-ups>
- RE: Reading a TCPdump file Mark Johnston (Oct 29)
- Re: Reading a TCPdump file sekure (Oct 22)