Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Offline Mode Doesn't Generate Alert

From: DFIRob via Snort-users <snort-users () lists snort org>
Date: Mon, 19 Aug 2019 21:13:19 +0200
Hi,

In your live capture mode, you disable packet checksum validation (with -k
none), and you don't while reading the pcap in the second case. When
capturing packets on the host that generated them, it's most common that
packet checksums are not yet calculated (because it's offloaded below
libpcap in the network stack), and therefore checksums are zero.

Does passing -k none in your offline case produce desired results?

If not, can you share the pcap and ruleset?

Best regards,

--rob'

On Sun, Aug 18, 2019 at 5:41 AM fluency0726 via Snort-users <
snort-users () lists snort org> wrote:


Hi all.
       I'm doing some snort performance test these days, but met a problem
when I use the snort offline mode. I wrote a snort rule file with a single
rule, and generated a pcap file with some packets that can trigger the
alert. My testbed has two servers, which are server A that runs snort 3.0
and server B that send packets with tcpreplay. When I send the pcap file
that I generated before from server B to server A, everything is fine,
snort that runs on server A can generate alert as expected. Then, I copy
the pcap file to server A and run snort in offline mode to search the pcap
file, what made me confused was that all packets were "allowed" by snort
and not a single alert was generated. I used the following bash command to
run snort in inline mode:

sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/customized.rules
-i enp131s0f0 -k none -A alert_fast

and I used the following bash command to run snort in offline mode:

sudo snort  -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/snort/rules/customized.rules
-r ./traces.pcap -A alert_fast

where traces.pcap is the pcap file including the packets that can trigger
snort's alert in inline mode.

       I have no idea why this problem appears and how to solve it. I
would be very appreciate if someone can help me with it.

       Chang Liu
       Tsinghua University, Beijing, China
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: