Snort mailing list archives
Re: Replaying pcaps through Snort
From: Y M <snort () outlook com>
Date: Sat, 6 Apr 2013 18:41:41 +0300
Nothing, just -c for the conf file. I'm writing some rules, which worked fine on a real environment. But when running on a test environment, replicating the same real scenario, its getting backwards. So I thought im looking at the wrong direction; tagging on the responses, not the requests, but the responses do not contain the content im matching on. By the way, im planning to submit the rules to the VRT once I finish testing. Thanks. YM ________________________________ From: Joel Esler<mailto:jesler () sourcefire com> Sent: 4/6/2013 6:33 PM To: Y M<mailto:snort () outlook com> Cc: snort<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Replaying pcaps through Snort Nope. -r is the correct command. Hat other commands are you issuing Snort? -- Joel Esler Sent from my iPhone On Apr 6, 2013, at 8:43 AM, Y M <snort () outlook com> wrote:
I have a pcap generated from some testing, and lets assume that the source ip is 192.168.1.10:5432 and destination ip is 192.168.1.15:445, which conforms to the test scenario I was working with and as captured by wireshark. However, replaying the pcap file through Snort (-r), Snort is reporting source and destination ip addresses backwards, i.e.: source ip is 192.168.1.15:445 and the destination ip 192.168.1.10:5432. What am i missing? Is there an extra argument i must input? Thanks. YM ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort Joel Esler (Apr 06)
- <Possible follow-ups>
- Re: Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort Y M (Apr 06)
- Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort waldo kitty (Apr 06)
- Re: Replaying pcaps through Snort Kurt Jensen CISSP (Apr 08)