Re: how to create testing data files??

[Russ Combs <rcombs () sourcefire com>]

On Fri, Aug 20, 2010 at 9:22 AM, Russ Combs <rcombs () sourcefire com> wrote:

> On Tue, Aug 17, 2010 at 2:57 PM, waldo kitty <wkitty42 () windstream net>wrote:
>
> > On 8/16/2010 10:30, Ryan Jordan wrote:
> > > > [quote] Note that Snort will not try to determine whether the files
> > under that
> > > > directory are really pcap files or not. [/quote]
> > >
> > > This means that your directory better have pcap files in it, because
> > > Snort's going to try and load them as pcaps! :)  Perhaps this is
> > > something we can make a little more clear.
> >
> > i would say so because i read it that snort wouldn't care in this case if
> > they
> > are pcaps or plain text/binary files... i mean, heck, "i" just want to
> > create a
> > file of "aaaaABCxEFGaaaa" and feed it to snort to see if that rule fires
> > based
> > on that string ;)
> >
> > > When I'm testing rules or things I've developed, I typically use Scapy
> > > to craft pcaps. At one point, I used the following setup for more
> > > rapid (but less repeatable!) testing:
> > >
> > > Get 2 hosts. I used my workstation and a VM. On one end, named
> > > "foobar", run netcat in listen mode:
> > > [ryan@foobar]$ nc -l -p 5555
> > >
> > > On the other end, connect with netcat:
> > > [ryan@snortdev]$ nc foobar 5555
> > >
> > > On the client's end, I ran Snort with my rules to test. I used a BPF
> > > to get only this traffic:
> > > [ryan@snortdev]$ snort -c testing.conf -i eth0 -F my_bpf.txt -A cmg -k
> > none
> > > The contents of my BPF:
> > > [ryan@snortdev]$ cat my_bpf.txt
> > > host foobar and port 5555
> > >
> > > Finally, I can just type stuff into my netcat window and watch the
> > > alerts pop up in my Snort window.
> > >
> > > I found this to be useful when I was debugging some pattern matcher
> > > weirdness in the Sensitive Data preprocessor. This approach is less
> > > useful if you want to save your tests and script them up to be run
> > > later -- pcaps are great for this.
> > >
> > > You'll also run into trouble if you want to test a more complex
> > > protocol than raw text over TCP, but we'll save that for another day.
> > > :)
> >
> > thanks for that... i'm sure it will be helpful to some... sadly, though,
> > it made
> > my eyes cross and i had to use sandpaper on them to be able to write this
> > :?
> > getting old too soon and too fast :(
>
> You might try this: http://sourceforge.net/projects/abcip/.
>
> Using a file like this, say test.abc:
>
> # define the encapsulations
> d ( stack="eth:ip4:udp" )
>
> # generate packets with given payloads
> a ( pay="ABCEFG" )
> a ( pay="ABCxEFG" )
> a ( pay="ABCx123456EFG" )
> a ( pay="ABCx1234567EFG" )
> a ( pay="ABCx12345678EFG" )
> a ( pay="ABCx123456789EFG" )
> a ( pay="ABCxx123456EFG" )
> a ( pay="ABCxx1234567EFG" )
> a ( pay="ABCxx12345678EFG" )
> a ( pay="ABCxx123456789EFG" )
>
> Which will produce a pcap with this command:
>
> abcip --pcap test.pcap < test.abc

If you really want to go from text strings straight into Snort, abcip (
http://sourceforge.net/projects/abcip/ ) now includes a DAQ and a raw input
mode, so you can so stuff like this:

Terminal:
    snort --daq abc --daq-var raw -i tty

Redirect:
    snort --daq abc --daq-var raw -i tty < test.txt

Readback:
    snort --daq abc --daq-var raw -r test.txt

Russ

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users