[Intrusions] Snort
Daniel Wesemann
intrusions at wesi.ch
Thu Oct 21 14:23:10 GMT 2004
> The file is a little over 4MB and includes 15021 packets. From what I
> understand, only packets that fired against a rule are in there. Is this
> true? My concern is that when I run snort against the file, I get 500
> alerts. As part of this, when I run it in binary output mode, I get a
> binary log file that's about 600kB and includes 500 packets! What's the
> deal with the remaining 3.4MB worth of packets? Is it possible that
> these are the result of custom rules that I'm not aware of? I have all
> of the rules turned on, on my snort, although I haven't messed with the
> preprocessors.
Grin. I'd suggest that you DO mess with the preprocessors. See
http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00018.html
Re the custom rules, dont worry, there are apparently some in the
rulebase, but not all that many. If you're curious :-), you can try to
extract the packets logged as result of custom rules:
- disable the preprocessors as suggested above
- pipe the original file through snort, writing out the results in binary
- read the original file and the resulting binary with tcpdump and write
the results (human readable ascii) into two text files
- do a diff on the text files
This will leave you with only those packets that were caught by the custom
ruleset, but did not trigger an alert in YOUR snort instance. Doing this
can be a neat exercise, because chances are small that other students have
analyzed these packets before :-)
Good luck
-daniel gcia gcfa
More information about the Intrusions
mailing list