Re: I don't get any alerts when reading from file.

[<dimopoulos () mhl tuc gr>]

Still, I should have been able to get alerts for infected UDP files,
right? I get absolutely NO alerts! Any other ideas?

> A lot of the snort signatures require an established connection (TCP
> handshake).  Look for "flow:established" in the rule. If your pcap file
> only contains the packets with the signatures and not the entire
> session, snort will not trigger on them.
>
> That's just my guess...
>
> On Fri, 30 Jul 2004 12:55:29 +0300 (EEST), dimopoulos () mhl tuc gr
> <dimopoulos () mhl tuc gr> wrote:
> > Hullo.
> > I'm using snort 2.1.3 on Windows 2000 SP4, on a 1.5 GHz Pentium 4
> > processor with 512 MB and have libcap 3.0. For the past days I've been
> > trying in vain to get snort to read from a file and log the alerts,
> > yet nothing happens. I've editted snort.conf to include all the rule
> > files and set all adresses to 'any'. For a typical execution I use:
> > snort.exe -c snort.conf -r test.txt (test.txt is a random tcp dump
> > file i have created using Ethereal and every packet in the file
> > contains a signature.) I can see that the rules are read successfully
> > from the '.rule' files "2060 Snort rules read...
> > 2060 Option Chains ;inked into 254 Chain Headers"
> > At the results section the "Breakdown by protocol:" is correct but the
> > actions are all 0 (alerts=0,logged=0,passed=0). When I use -vd I can
> > see the header and the data of the packets are all ok (and should
> > generate alerts). I've tried the various -A switches, no change. After
> > reading both the manual and the FAQ I still haven't found anything. Am
> > I blind and have missed something obvious? Any help will be deeply
> > appreciated and will help spare what little hair I haven't torn off my
> > scalp yet!! Thanks!
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by OSTG. Have you noticed the changes
> > on Linux.com, ITManagersJournal and NewsForge in the past few weeks?
> > Now, one more big change to announce. We are now OSTG- Open Source
> > Technology Group. Come see the changes on the new OSTG site.
> > www.ostg.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source
> Technology Group. Come see the changes on the new OSTG site.
> www.ostg.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users