Snort mailing list archives

Re: tcpdump file analysis

From: Oguz Yarimtepe <comp.ogz () gmail com>
Date: Sun, 03 May 2009 20:06:20 +0300

On Sun, 2009-05-03 at 04:32 -0400, Joel Esler wrote:

Yes,  If you run Snort as you would any other time in IPS mode "-c",
and
simply use the output plugins you have defined in your snort.conf,
when
you run Snort with the -r option, it will log the alerts generated
from


I ran it in this way:

snort -c /etc/snort/snort.conf -de -r attack-test.pcap 

But it seems it doesn't process the file because i dont't see any attack
info at the base web interface. 

attack-test.pcap is produced by 

nmap -P0 -sS -p 135,139,445,80,21,20,22 -e lo  192.168.2.4

and

snort -c /etc/snort/snort.conf -de -r attack-test.pcap

....

Here is the command output:
328 out of 512 flowbits in use.
TCPDUMP file reading mode.
Reading network traffic from "attack-test.pcap" file.
snaplen = 65535
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = unknown:[reading from a file]
database:     sensor id = 8
database: schema version = 107
database: using the "log" facility
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = unknown:[reading from a file]
database:     sensor id = 8
database: schema version = 107
database: using the "log" facility
 
(It waits here without
processing)                                             

So i may be doing some missconfgiuration. 

I am using the pre-compiled snort-mysql deb file from ubuntu hardy 8.0
repo. 


-- 
Oguz Yarimtepe
http://www.loopbacking.info


------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O'Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

tcpdump file analysis Oguz Yarimtepe (May 03)
- Re: tcpdump file analysis Nigel Houghton (May 03)
- Re: tcpdump file analysis Joel Esler (May 03)
  - Re: tcpdump file analysis Oguz Yarimtepe (May 03)