Re: [Snort-users] tcpdump file analysis

From: Oguz Yarimtepe <comp.ogz_at_nospam>
Date: Sun May 03 2009 - 17:06:20 GMT
To: Joel Esler <jesler@sourcefire.com>

On Sun, 2009-05-03 at 04:32 -0400, Joel Esler wrote:
> Yes, If you run Snort as you would any other time in IPS mode "-c",
> and
> simply use the output plugins you have defined in your snort.conf,
> when
> you run Snort with the -r option, it will log the alerts generated
> from

I ran it in this way:

snort -c /etc/snort/snort.conf -de -r attack-test.pcap

But it seems it doesn't process the file because i dont't see any attack info at the base web interface.

attack-test.pcap is produced by

nmap -P0 -sS -p 135,139,445,80,21,20,22 -e lo 192.168.2.4

and

snort -c /etc/snort/snort.conf -de -r attack-test.pcap

....

Here is the command output:
328 out of 512 flowbits in use.
TCPDUMP file reading mode.
Reading network traffic from "attack-test.pcap" file. snaplen = 65535 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = unknown:[reading from a file] database: sensor id = 8 database: schema version = 107 database: using the "log" facility database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = unknown:[reading from a file] database: sensor id = 8 database: schema version = 107 database: using the "log" facility (It waits here without processing)

So i may be doing some missconfgiuration.

I am using the pre-compiled snort-mysql deb file from ubuntu hardy 8.0 repo. -- Oguz Yarimtepe http://www.loopbacking.info ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Jason Zhao: "[Snort-devel] Which RBAC profile could run snort on Solaris."
Previous message: Joel Esler: "Re: [Snort-users] tcpdump file analysis"
In reply to: Joel Esler: "Re: [Snort-users] tcpdump file analysis"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]