Snort mailing list archives
Using snort -r for default detection against 1000s of PCAPs
From: Jeremy Gin <jgin () utexas edu>
Date: Wed, 22 Mar 2017 16:01:57 -0500
Hello, I am completely new to Snort and I am using it in a research project in which I am calculating detection rates and resource usage of Snort out of the box against 8-10 attacks captured in >1000 PCAPs that I have created in my lab environment. Based on my understanding of Snort’s documentation, I need to use the “snort -r <name>.pcap” command. I like this command because it seems easily scriptable in Python: run the command, pipe stdout to file, search file for alerts, aggregate results for 1000s of trials. For ease of use and because I have no previous Snort experience, I have started with a vanilla Security Onion 14.04 VM. I have tried 2 different commands: (1) When I run “snort -r <name>.pcap” against some of my malicious pcaps I get no alerts. Instead, for every packet I do get a warning: “Warning: no preprocessors configured for policy 0”. This indicates to me that Snort is not checking any preprocessors or rules against my pcap. (2) When I run “snort -r <name>.pcap -c /etc/nsm/templates/snort/snort.conf” I get an error: “ERROR: pfring DAQ does not support read-file. Fatal Error, Quitting..” I googled around for (1), which lead me to (2). I googled (2) to find that not many people are using Snort for read-file and that the documentation seems sparse for this use case. I just want to run Snort and its default rules against my pcap and check any alerts that it produces. How can I get there? Thanks, Jeremy ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Using snort -r for default detection against 1000s of PCAPs Jeremy Gin (Mar 22)
- Re: Using snort -r for default detection against 1000s of PCAPs Al Lewis (allewi) (Mar 22)
- Re: Using snort -r for default detection against 1000s of PCAPs Victor Roemer (Mar 22)