Snort mailing list archives
Re: Replaying pcaps through Snort
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 06 Apr 2013 11:42:21 -0500
On 4/6/2013 11:37, Y M wrote:
They are defined the same on both real and testing(VMs) boxes: $HOME_NET any $EXTERNAL_NET any
and the pcap is made from the correct side of the connection? the same side that snort is sniffing?
Thanks. YM > Date: Sat, 6 Apr 2013 11:27:19 -0500 > From: wkitty42 () windstream net > To: snort-users () lists sourceforge net > Subject: Re: [Snort-users] Replaying pcaps through Snort > > On 4/6/2013 10:41, Y M wrote: > > Nothing, just -c for the conf file. > > > > I'm writing some rules, which worked fine on a real environment. But when > > running on a test environment, replicating the same real scenario, its getting > > backwards. > > do you have $HOME_NET and $EXTERNAL_NET defined properly/same in the test > environment as in the live environment? > > > So I thought im looking at the wrong direction; tagging on the responses, not > > the requests, but the responses do not contain the content im matching on. > > > > By the way, im planning to submit the rules to the VRT once I finish testing. > > > > Thanks. > > YM > > -------------------------------------------------------------------------------- > > From: Joel Esler <mailto:jesler () sourcefire com> > > Sent: 4/6/2013 6:33 PM > > To: Y M <mailto:snort () outlook com> > > Cc: snort <mailto:snort-users () lists sourceforge net> > > Subject: Re: [Snort-users] Replaying pcaps through Snort > > > > Nope. -r is the correct command. Hat other commands are you issuing Snort? > > > > -- > > *Joel Esler* > > Sent from my iPhone > > > > On Apr 6, 2013, at 8:43 AM, Y M <snort () outlook com <mailto:snort () outlook com>> > > wrote: > > > >> I have a pcap generated from some testing, and lets assume that the source ip > >> is 192.168.1.10:5432 and destination ip is 192.168.1.15:445, which conforms to > >> the test scenario I was working with and as captured by wireshark. > >> > >> However, replaying the pcap file through Snort (-r), Snort is reporting source > >> and destination ip addresses backwards, i.e.: source ip is 192.168.1.15:445 > >> and the destination ip 192.168.1.10:5432. > >> > >> What am i missing? Is there an extra argument i must input?
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort Joel Esler (Apr 06)
- <Possible follow-ups>
- Re: Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort Kurt Jensen CISSP (Apr 08)