[Intrusions] Snort
Jim Hendrick
jrhendri at maine.rr.com
Thu Oct 21 03:02:48 GMT 2004
Not sure what is in that file.
tcpdump is the right tool to split out the file into binary files that can
be read again by other pcap aware tools
Check the man page. It's pretty straightforward to input from a file, apply
a filter, and output to a file.
No need to ASCIIfy and convert.
Good luck!
Jim
GCFW, GCIA, GCIH
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Buelna, Derek
Sent: Wednesday, October 20, 2004 1:59 PM
To: intrusions at lists.sans.org
Subject: [Intrusions] Snort
I'm confused about a couple of things and was hoping for a little feedback.
I'm analyzing http://isc.sans.org/logs/Raw/2002.9.30
<http://isc.sans.org/logs/Raw/2002.9.30> as part of my GCIA practical.
The file is a little over 4MB and includes 15021 packets. From what I
understand, only packets that fired against a rule are in there. Is this
true? My concern is that when I run snort against the file, I get 500
alerts. As part of this, when I run it in binary output mode, I get a binary
log file that's about 600kB and includes 500 packets! What's the deal with
the remaining 3.4MB worth of packets? Is it possible that these are the
result of custom rules that I'm not aware of? I have all of the rules turned
on, on my snort, although I haven't messed with the preprocessors.
I'm also not clear on how I can use tcpdump to filter on a few things and
then output a binary that snort can read. I want to run tcpdump on the
2002.9.30 file with a filter, save the output file and then run it through
snort. When I do this I get no alerts so I think I messed up the syntax. I
was able to create a display filter in ethereal and save that off and run it
through snort though. Maybe I need to output in ASCI and run a converter on
it?
Any suggestions would be appreciated. Thanks,
Derek A. Buelna, GSEC, CISSP, CCIE #7318
Information Security
XEROX Office Group
Office: 503.685.2593
Fax: 503.685.4140
Email: dbuelna at office.xerox.com
PGP Fingerprint: F01B F636 ED37 08AD 9D8B 6BCC 5663 F7A4 7F45 4AA5
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list