[Intrusions] Snort

Chris Keladis chris at cmc.optus.net.au
Thu Oct 21 01:38:29 GMT 2004 

At 03:58 AM 10/21/2004, Buelna, Derek wrote:

Hi Derek,

>I'm confused about a couple of things and was hoping for a little feedback.

[...]

>The file is a little over 4MB and includes 15021 packets. From what I 
>understand, only packets that fired against a rule are in there. Is this true?
>My concern is that when I run snort against the file, I get 500 alerts. As 
>part of this, when I run it in binary output mode, I get a binary log file 
>that's about 600kB and includes 500 packets! What's the deal with the 
>remaining 3.4MB worth of packets? Is it possible that these are the result 
>of custom rules that I'm not aware of? I have all of the rules turned on, 
>on my snort, although I haven't messed with the preprocessors.

Assuming they are pcap (aka binary) output from Snort, playing the raw logs 
back through Snort will not necessarily trigger the same rules.

This is because the pre-processors, and rules that use the "flowbits" 
functionality in Snort have to have all the context data in order to fire.

So snapshots of logged packets here and there will only trigger the simple 
non-context rules.

It is designed this way to help minimize the amount of false-positives.

As you mention it is also entirely possible the Snort that captured the 
above packets had custom rules. Unfortunately this is not something you can 
"reverse engineer".



>I'm also not clear on how I can use tcpdump to filter on a few things and 
>then output a binary that snort can read. I want to run tcpdump on the 
>2002.9.30 file with a filter, save the output file and then run it through 
>snort. When I do this I get no alerts so I think I messed up the syntax. I 
>was able to create a display filter in ethereal and save that off and run 
>it through snort though. Maybe I need to output in ASCI and run a 
>converter on it?

Use the '-r' and '-w' switches to tcpdump, simultaneously, to read a trace 
and write it to a new pcap dump file, with your filter at the end of the 
command line.

tcpdump will then write out only the packets that matched your filter on 
the command line.

For help on writing filters, study the tcpdump man page. It goes into quite 
some depth on writing anything from the simplest to some pretty advanced 
filters.




Regards,

Chris.

Chris Keladis

System/Security Administrator
Data & Business Operations
Custom Management Centre
'yes'  -  Optus.

Phone: (02) 9775-9372
Mobile: (0402) 067-375
E-Mail: Chris.Keladis at cmc.optus.net.au

PGP Key ID: 0xE55D8E9B

PGP Fingerprint:
BCA3 8819 A0C9 82DD 0D30  0E0F 50F2 A460 E55D 8E9B

More information about the Intrusions mailing list