Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] Reading a TCPdump file

from [Mark Johnston] Network Security [Permanent Link]
Subject: RE: [Snort-users] Reading a TCPdump file
Date: Fri, 22 Oct 2004 14:35:13 +0100 
Hi there,

Thanks for the reply ...

HOME_NET is defined as the IP of the address of the host e.g 10.10.10.5/32 and 
EXTERNAL_NET is defined as !HOME_NET. The file is the entire capture of all 
sessions to that box (it was inline). I didn't use the -z option in the command 
line.

Thanks
Mark

-----Original Message-----
From: sekure [mailto:sekure@gmail.com]
Sent: 22 October 2004 14:20
To: Mark Johnston
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Reading a TCPdump file


Mark,

Are you HOME_NET and EXTERNAL_NET variables defined correctly?

Also, i am not exactly sure if the tcpdump contains a complete
session, or just the alerts, but if it does NOT contain the entire
session, Snort won't even look at it, unless you remove the "-z" from
the commandline (which looks like you did), and remove the "flow"
keyword from the rules.


On Thu, 21 Oct 2004 15:15:36 +0100, Mark Johnston
<mark.johnston@bluesq.com> wrote:

I'm looking at one of the honeynet scan of the month projects (#27). And
what I'm trying to do is get snort to read the TCPdump capture file and view
the alerts. Thus far I have configured the conf file to have the appropriate
values and run snort against the file, however I'm not getting any generated
alerts. I know that I should be getting some though. I also have the latest
version of the rules and am running snort 2.2 for Fedora Core 2. The command
that I am using is "snort -A full -c /etc/snort/snort.conf -r sotm27"



**********************************************************************
This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they 
are addressed. It may not be used or disclosed except for the 
purpose for which it has been sent. If you have received this 
e-mail in error please notify the system administrator 
postmaster@bluesq.com quoting the senders address. If you are not the 
intended recipient you must not use, disclose, distribute, copy, 
print or rely on this e-mail and must delete the message and any 
documents. Please advise immediately if you or your employer 
do not consent to Internet e-mail for messages of this kind. 
Unless expressly stated, opinions in this message are those of 
the individual sender and not of Blue Square. Blue Square 
accepts no liability or responsibility for any onward transmission 
or use of e-mails and attachment having left the Blue Square domain.

 

This footnote also confirms that this e-mail message has been swept
 by MIMEsweeper for the presence of computer viruses. Whilst we 
have taken reasonable precautions to ensure that this e-mail and 
any attachments have been swept for viruses, we cannot accept 
liability for any damage sustained as a result of software viruses and 
would advise that you carry out your own virus checks before 
opening any attachment.

 

www.bluesq.com
**********************************************************************



-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Using snort on a per-instance basis....archive databases, Jason Humes
Next by Date:  RE: [Snort-users] Need help from the Snorters, Baxter, Anthony \(ABAXTER\)
Previous by Thread:  RE: [Snort-users] Reading a TCPdump file, Jeff Dell
Next by Thread:  Re: [Snort-users] Reading a TCPdump file, sekure
Indexes:  [Date] [Thread] [Top] [All Lists]