Snort mailing list archives
Re: Generating alert when reading tcpdump file
From: "xun wang" <xuntwang () hotmail com>
Date: Thu, 04 Jul 2002 09:29:59 -0400
Thanks for your prompt response.Actually I realized that I should specify the rules for snort to be able to trigger alert. But when I tried the "-c /path/snort.conf", I won't get anything except an empty alert file. When I removed this switch from my command, at least I could get lots of directory named with source IP addresses in the /var/log/snort directory.
I didn't specify to write the alert to syslog, but I check the syslog as well and didn't find any alert.
What is your thought?
From: "Andrew R. Baker" <andrewb () snort org> To: tang xun <xun_tang () yahoo com> CC: snort-users () lists sourceforge net Subject: Re: [Snort-users] Generating alert when reading tcpdump file Date: Wed, 03 Jul 2002 16:54:38 -0400 tang xun wrote:Hi All, I got some tcpdump data from various network to analyze. I am able to start snort to read those tcpdump files with the following command and gererate logs. snort -A full -v -d -h home_net -l /var/log/snort -r tcpdump_file.You are missing a "-c snort.conf" in the above line. You need to use this if you want Snort to run with any rules enabled.But the "-A full" didn't work. I only got an empty alert file although I can see attacks in the tcpdump file. The question is whether snort can generate alerts when reading tcpdump files(in playback mode)?Yes, but you have to load some rules for it to use to detect the alerts. -A ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Caffeinated soap. No kidding. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Generating alert when reading tcpdump file tang xun (Jul 03)
- Re: Generating alert when reading tcpdump file Andrew R. Baker (Jul 03)
- Re: Generating alert when reading tcpdump file Erek Adams (Jul 03)
- <Possible follow-ups>
- Re: Generating alert when reading tcpdump file xun wang (Jul 04)
- Re: Generating alert when reading tcpdump file John Sage (Jul 04)
- Re: Generating alert when reading tcpdump file xun wang (Jul 04)
- Re: Generating alert when reading tcpdump file John Sage (Jul 04)
- Re: Generating alert when reading tcpdump file Andrew R. Baker (Jul 03)