Snort mailing list archives

Using snort -r for default detection against 1000s of PCAPs

From: Jeremy Gin <jgin () utexas edu>
Date: Wed, 22 Mar 2017 16:01:57 -0500

Hello,

I am completely new to Snort and I am using it in a research project in
which I am calculating detection rates and resource usage of Snort out of
the box against 8-10 attacks captured in >1000 PCAPs that I have created in
my lab environment.

Based on my understanding of Snort’s documentation, I need to use the
“snort -r <name>.pcap” command. I like this command because it seems easily
scriptable in Python: run the command, pipe stdout to file, search file for
alerts, aggregate results for 1000s of trials. For ease of use and because
I have no previous Snort experience, I have started with a vanilla Security
Onion 14.04 VM.

I have tried 2 different commands:

(1) When I run “snort -r <name>.pcap” against some of my malicious pcaps I
get no alerts. Instead, for every packet I do get a warning: “Warning: no
preprocessors configured for policy 0”. This indicates to me that Snort is
not checking any preprocessors or rules against my pcap.

(2) When I run “snort -r <name>.pcap -c /etc/nsm/templates/snort/snort.conf”
I get an error: “ERROR: pfring DAQ does not support read-file.

Fatal Error, Quitting..”

I googled around for (1), which lead me to (2). I googled (2) to find that
not many people are using Snort for read-file and that the documentation
seems sparse for this use case. I just want to run Snort and its default
rules against my pcap and check any alerts that it produces. How can I get
there?

Thanks,

Jeremy
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Using snort -r for default detection against 1000s of PCAPs Jeremy Gin (Mar 22)
- Re: Using snort -r for default detection against 1000s of PCAPs Al Lewis (allewi) (Mar 22)
- Re: Using snort -r for default detection against 1000s of PCAPs Victor Roemer (Mar 22)