[Intrusions] Snort
Buelna, Derek
derek.buelna at office.xerox.com
Wed Oct 20 17:58:46 GMT 2004
I'm confused about a couple of things and was hoping for a little feedback.
I'm analyzing http://isc.sans.org/logs/Raw/2002.9.30 <http://isc.sans.org/logs/Raw/2002.9.30> as part of my GCIA practical.
The file is a little over 4MB and includes 15021 packets. From what I understand, only packets that fired against a rule are in there. Is this true?
My concern is that when I run snort against the file, I get 500 alerts. As part of this, when I run it in binary output mode, I get a binary log file that's about 600kB and includes 500 packets! What's the deal with the remaining 3.4MB worth of packets? Is it possible that these are the result of custom rules that I'm not aware of? I have all of the rules turned on, on my snort, although I haven't messed with the preprocessors.
I'm also not clear on how I can use tcpdump to filter on a few things and then output a binary that snort can read. I want to run tcpdump on the 2002.9.30 file with a filter, save the output file and then run it through snort. When I do this I get no alerts so I think I messed up the syntax. I was able to create a display filter in ethereal and save that off and run it through snort though. Maybe I need to output in ASCI and run a converter on it?
Any suggestions would be appreciated. Thanks,
Derek A. Buelna, GSEC, CISSP, CCIE #7318
Information Security
XEROX Office Group
Office: 503.685.2593
Fax: 503.685.4140
Email: dbuelna at office.xerox.com
PGP Fingerprint: F01B F636 ED37 08AD 9D8B 6BCC 5663 F7A4 7F45 4AA5
More information about the Intrusions
mailing list