Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Replaying pcaps through Snort

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 06 Apr 2013 11:42:21 -0500
On 4/6/2013 11:37, Y M wrote:

They are defined the same on both real and testing(VMs) boxes:

$HOME_NET any
$EXTERNAL_NET any


and the pcap is made from the correct side of the connection? the same side that 
snort is sniffing?



Thanks.
YM

 > Date: Sat, 6 Apr 2013 11:27:19 -0500
 > From: wkitty42 () windstream net
 > To: snort-users () lists sourceforge net
 > Subject: Re: [Snort-users] Replaying pcaps through Snort
 >
 > On 4/6/2013 10:41, Y M wrote:
 > > Nothing, just -c for the conf file.
 > >
 > > I'm writing some rules, which worked fine on a real environment. But when
 > > running on a test environment, replicating the same real scenario, its getting
 > > backwards.
 >
 > do you have $HOME_NET and $EXTERNAL_NET defined properly/same in the test
 > environment as in the live environment?
 >
 > > So I thought im looking at the wrong direction; tagging on the responses, not
 > > the requests, but the responses do not contain the content im matching on.
 > >
 > > By the way, im planning to submit the rules to the VRT once I finish testing.
 > >
 > > Thanks.
 > > YM
 > >
--------------------------------------------------------------------------------
 > > From: Joel Esler <mailto:jesler () sourcefire com>
 > > Sent: ‎4/‎6/‎2013 6:33 PM
 > > To: Y M <mailto:snort () outlook com>
 > > Cc: snort <mailto:snort-users () lists sourceforge net>
 > > Subject: Re: [Snort-users] Replaying pcaps through Snort
 > >
 > > Nope. -r is the correct command. Hat other commands are you issuing Snort?
 > >
 > > --
 > > *Joel Esler*
 > > Sent from my iPhone 
 > >
 > > On Apr 6, 2013, at 8:43 AM, Y M <snort () outlook com <mailto:snort () outlook com>>
 > > wrote:
 > >
 > >> I have a pcap generated from some testing, and lets assume that the source ip
 > >> is 192.168.1.10:5432 and destination ip is 192.168.1.15:445, which conforms to
 > >> the test scenario I was working with and as captured by wireshark.
 > >>
 > >> However, replaying the pcap file through Snort (-r), Snort is reporting source
 > >> and destination ip addresses backwards, i.e.: source ip is 192.168.1.15:445
 > >> and the destination ip 192.168.1.10:5432.
 > >>
 > >> What am i missing? Is there an extra argument i must input?




------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: