Snort mailing list archives
Re: tcpdump file analysis
From: Oguz Yarimtepe <comp.ogz () gmail com>
Date: Sun, 03 May 2009 20:06:20 +0300
On Sun, 2009-05-03 at 04:32 -0400, Joel Esler wrote:
Yes, If you run Snort as you would any other time in IPS mode "-c", and simply use the output plugins you have defined in your snort.conf, when you run Snort with the -r option, it will log the alerts generated from
I ran it in this way: snort -c /etc/snort/snort.conf -de -r attack-test.pcap But it seems it doesn't process the file because i dont't see any attack info at the base web interface. attack-test.pcap is produced by nmap -P0 -sS -p 135,139,445,80,21,20,22 -e lo 192.168.2.4 and snort -c /etc/snort/snort.conf -de -r attack-test.pcap .... Here is the command output: 328 out of 512 flowbits in use. TCPDUMP file reading mode. Reading network traffic from "attack-test.pcap" file. snaplen = 65535 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = unknown:[reading from a file] database: sensor id = 8 database: schema version = 107 database: using the "log" facility database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = unknown:[reading from a file] database: sensor id = 8 database: schema version = 107 database: using the "log" facility (It waits here without processing) So i may be doing some missconfgiuration. I am using the pre-compiled snort-mysql deb file from ubuntu hardy 8.0 repo. -- Oguz Yarimtepe http://www.loopbacking.info ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump file analysis Oguz Yarimtepe (May 03)
- Re: tcpdump file analysis Nigel Houghton (May 03)
- Re: tcpdump file analysis Joel Esler (May 03)
- Re: tcpdump file analysis Oguz Yarimtepe (May 03)