Re: Generating alert when reading tcpdump file

[Erek Adams <erek () theadamsfamily net>]

On Wed, 3 Jul 2002, Andrew R. Baker wrote:

> tang xun wrote:
> > Hi All,
> >      I got some tcpdump data from various network to
> > analyze. I am able to start snort to read those
> > tcpdump files with the following command and gererate
> > logs.
> >
> > snort -A full -v -d -h home_net -l /var/log/snort -r
> > tcpdump_file.
>
>
> You are missing a "-c snort.conf" in the above line.  You need to use
> this if you want Snort to run with any rules enabled.
>
> >     But the "-A full" didn't work. I only got an empty
> > alert file although I can see attacks in the tcpdump
> > file.
> >
> >     The question is whether snort can generate alerts
> > when reading tcpdump files(in playback mode)?
>
> Yes, but you have to load some rules for it to use to detect the alerts.

One thing to also keep in mind:  The default snaplen for tcpdump is 64.  The
default snaplen for snort is 1514.  So tcpdump might 'see' the attack but if
the data that the rules are matching is > 64 into the packet, it won't fire.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users