Re: Replaying pcaps through Snort

[Y M <snort () outlook com>]

Nothing, just -c for the conf file.

I'm writing some rules, which worked fine on a real environment. But when running on a test environment, replicating 
the same real scenario, its getting backwards.

So I thought im looking at the wrong direction; tagging on the responses, not the requests, but the responses do not 
contain the content im matching on.

By the way, im planning to submit the rules to the VRT once I finish testing.

Thanks.
YM
________________________________
From: Joel Esler<mailto:jesler () sourcefire com>
Sent: ‎4/‎6/‎2013 6:33 PM
To: Y M<mailto:snort () outlook com>
Cc: snort<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Replaying pcaps through Snort

Nope.  -r is the correct command.  Hat other commands are you issuing Snort?

--
Joel Esler
Sent from my iPhone 

On Apr 6, 2013, at 8:43 AM, Y M <snort () outlook com> wrote:

> I have a pcap generated from some testing, and lets assume that the source ip is 192.168.1.10:5432 and destination ip 
> is 192.168.1.15:445, which conforms to the test scenario I was working with and as captured by wireshark.
>
> However, replaying the pcap file through Snort (-r), Snort is reporting source and destination ip addresses 
> backwards, i.e.:  source ip is 192.168.1.15:445 and the destination ip 192.168.1.10:5432.
>
> What am i missing? Is there an extra argument i must input?
>
> Thanks.
> YM
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!