(no subject)

["Kris" <5brittons () comcast net>]

I am a new snort user and am playing around with writing snort rules and
generating alerts. I am using some raw data files from
http://www.incidents.org/logs/Raw to serve as my test traffic.

 

The command line I am using for this testing is as follows: 

 

Snort\detects>snort -r c:\snort\detects\2002.5.30 -b -l c:\snort\log -c
c:\sn

ort\etc\test.conf -A full

 

Where test.conf contains one rule which is:

 

alert tcp any any -> any any (msg:"TCP traffic";)

 

 

The command line output from the run are as follows: 

 

C:\Snort\detects>snort -r c:\snort\detects\2002.5.30 -b -l c:\snort\log -c
c:\snort\etc\test.conf -A full

Running in IDS mode

Log directory = c:\snort\log

TCPDUMP file reading mode.

Reading network traffic from "c:\snort\detects\2002.5.30" file.

snaplen = 1514

 

        --== Initializing Snort ==--

Initializing Output Plugins!

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file c:\snort\etc\test.conf

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

1 Snort rules read...

1 Option Chains linked into 1 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

+-----------------------[thresholding-config]-------------------------------
---

| memory-cap : 1048576 bytes

+-----------------------[thresholding-global]-------------------------------
---

| none

+-----------------------[thresholding-local]--------------------------------
---

| none

+-----------------------[suppression]---------------------------------------
---

| none

----------------------------------------------------------------------------
---

Rule application order: ->activation->dynamic->alert->pass->log

 

        --== Initialization Complete ==--

 

-*> Snort! <*-

Version 2.1.1-ODBC-MySQL-FlexRESP-WIN32 (Build 24)

By Martin Roesch (roesch () sourcefire com, www.snort.org)

1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)

1.8 - 2.1 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)

Run time for packet processing was 0.0 seconds

 

 

============================================================================
===

 

Snort processed 138 packets.

Breakdown by protocol:                Action Stats:

 

    TCP: 125        (90.580%)         ALERTS: 0

    UDP: 13         (9.420%)          LOGGED: 0

   ICMP: 0          (0.000%)          PASSED: 0

    ARP: 0          (0.000%)

  EAPOL: 0          (0.000%)

   IPv6: 0          (0.000%)

    IPX: 0          (0.000%)

  OTHER: 0          (0.000%)

============================================================================
===

Wireless Stats:

Breakdown by type:

    Management Packets: 0          (0.000%)

    Control Packets:    0          (0.000%)

    Data Packets:       0          (0.000%)

============================================================================
===

Fragmentation Stats:

Fragmented IP Packets: 0          (0.000%)

   Rebuilt IP Packets: 0

   Frag elements used: 0

Discarded(incomplete): 0

   Discarded(timeout): 0

============================================================================
===

 

TCP Stream Reassembly Stats:

   TCP Packets Used:      0          (0.000%)

   Reconstructed Packets: 0          (0.000%)

   Streams Reconstructed: 0

============================================================================
===

 

Snort exiting

 

 

Given the rule in test.conf, I was expecting to see 125 alerts generated (as
opposed to the 0 noted).

I checked the alert.ids file in the /snort/log directory and it indeed has
no alerts present.

 

Any help would be appreciated.  

 

Thanks,

 

Kris  B.