Snort mailing list archives

Re: Replaying pcaps through Snort

From: "Kurt Jensen CISSP" <kjensencissp () gmail com>
Date: Mon, 8 Apr 2013 10:15:42 -0400

Hi, I have a question about the .rpm based install process as compared to the .tar.gz package approach:

 

What are the major steps left to complete once a person completes the “rpm” package installed successfully? Do the 
“Snort Setup Guides for Linux still apply well”  - Or another way - Is the rest of the Snort Setup process left to do 
comparable to leaving off where a tar packages “make install” step left off?  

 

Would I be correct to conclude that I need to follow the rest of a Snort setup instruction documents for Linux from the 
point where the “make install” step is done, or does the RPM package method automatically do more of that process?  
Pointing me to any existing answers or documents is certainly fine and appreciated.

 

Lars

 

From: Y M [mailto:snort () outlook com] 
Sent: Saturday, April 06, 2013 1:58 PM
To: wkitty42 () windstream net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Replaying pcaps through Snort

 

Thanks for the thorough explanation Waldo. At the moment I'm not using any flow modifiers.

If I run the destination capture against the rules, they just trigger as expected. Which I think points back to what 
you just suggested.

  _____  

From: waldo kitty <mailto:wkitty42 () windstream net> 
Sent: ‎4/‎6/‎2013 8:49 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Replaying pcaps through Snort

On 4/6/2013 11:58, Y M wrote:

Yes.

The real pcap, for example, had src as 192.168.1.10 and dst as 192.168.1.15
The test pcap, for example, had scr as 192.168.2.133 and dst as 192.168.1.134

In both cases, the capture being replayed is from the source machine, and the
rule direction was $HOME_NET -> $EXTERNAL_NET. In the real environment, this
generated an alert and dropped the traffic. However, in the test environment,
the same set of rules are not working. I had to flip the direction to
$EXTERNAL_NET -> $HOME_NET, inluding src and dst ports.


are you using the "to_server" or "to_client" flow: modifiers?


$EXTERNAL_NET 80 -> $HOME_NET any (flow:to_server;) would be client traffic

$HOME_NET any -> $EXTERNAL_NET 80 (flow:to_server;) would be client traffic

$EXTERNAL_NET 80 -> $HOME_NET any (flow:to_client;) would be server traffic

$HOME_NET any -> $EXTERNAL_NET 80 (flow:to_client;) would be server traffic


you can't just go by the placement of the $HOME_NET or $EXTERNAL_NET and the 
direction the '->' is pointing...

flow:established,to_server or flow:established,to_client are pretty common... 
sometimes you might find rules using from_client or from_server... established 
means, of course, that the 3way handshake for tcp connections was performed...

 > Date: Sat, 6 Apr 2013 11:42:21 -0500
 > From: wkitty42 () windstream net
 > To: snort-users () lists sourceforge net
 > Subject: Re: [Snort-users] Replaying pcaps through Snort
 >
 > On 4/6/2013 11:37, Y M wrote:
 > > They are defined the same on both real and testing(VMs) boxes:
 > >
 > > $HOME_NET any
 > > $EXTERNAL_NET any
 >
 > and the pcap is made from the correct side of the connection? the same side that
 > snort is sniffing?
 >
 >
 > > Thanks.
 > > YM
 > >
 > > > Date: Sat, 6 Apr 2013 11:27:19 -0500
 > > > From: wkitty42 () windstream net
 > > > To: snort-users () lists sourceforge net
 > > > Subject: Re: [Snort-users] Replaying pcaps through Snort
 > > >
 > > > On 4/6/2013 10:41, Y M wrote:
 > > > > Nothing, just -c for the conf file.
 > > > >
 > > > > I'm writing some rules, which worked fine on a real environment. But when
 > > > > running on a test environment, replicating the same real scenario, its
getting
 > > > > backwards.
 > > >
 > > > do you have $HOME_NET and $EXTERNAL_NET defined properly/same in the test
 > > > environment as in the live environment?
 > > >
 > > > > So I thought im looking at the wrong direction; tagging on the
responses, not
 > > > > the requests, but the responses do not contain the content im matching on.
 > > > >
 > > > > By the way, im planning to submit the rules to the VRT once I finish
testing.
 > > > >
 > > > > Thanks.
 > > > > YM
 > > > >
 > >
--------------------------------------------------------------------------------
 > > > > From: Joel Esler <mailto:jesler () sourcefire com>
 > > > > Sent: ‎4/‎6/‎2013 6:33 PM
 > > > > To: Y M <mailto:snort () outlook com>
 > > > > Cc: snort <mailto:snort-users () lists sourceforge net>
 > > > > Subject: Re: [Snort-users] Replaying pcaps through Snort
 > > > >
 > > > > Nope. -r is the correct command. Hat other commands are you issuing Snort?
 > > > >
 > > > > --
 > > > > *Joel Esler*
 > > > > Sent from my iPhone 
 > > > >
 > > > > On Apr 6, 2013, at 8:43 AM, Y M <snort () outlook com <mailto:snort () outlook com%0b> 
<mailto:snort () outlook com>>
 > > > > wrote:
 > > > >
 > > > >> I have a pcap generated from some testing, and lets assume that the
source ip
 > > > >> is 192.168.1.10:5432 and destination ip is 192.168.1.15:445, which
conforms to
 > > > >> the test scenario I was working with and as captured by wireshark.
 > > > >>
 > > > >> However, replaying the pcap file through Snort (-r), Snort is
reporting source
 > > > >> and destination ip addresses backwards, i.e.: source ip is
192.168.1.15:445
 > > > >> and the destination ip 192.168.1.10:5432.
 > > > >>
 > > > >> What am i missing? Is there an extra argument i must input?




------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort Joel Esler (Apr 06)
- <Possible follow-ups>
- Re: Replaying pcaps through Snort Y M (Apr 06)
  - Re: Replaying pcaps through Snort waldo kitty (Apr 06)
    - Re: Replaying pcaps through Snort Y M (Apr 06)
    - Re: Replaying pcaps through Snort waldo kitty (Apr 06)
    - Re: Replaying pcaps through Snort Y M (Apr 06)
    - Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort Y M (Apr 06)
  - Re: Replaying pcaps through Snort Kurt Jensen CISSP (Apr 08)