[Intrusions] Snort
Buelna, Derek
derek.buelna at office.xerox.com
Fri Oct 22 17:39:18 GMT 2004
Wow, I commented out the stream preprocessors and now I have 2842 alerts. Thanks Daniel, your response and your post http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00018.html were quite useful.
-Derek
-----Original Message-----
From: intrusions-bounces at lists.sans.org [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Daniel Wesemann
Sent: Thursday, October 21, 2004 7:23 AM
To: Intrusions List (GCIA Practicals)
Subject: Re: [Intrusions] Snort
> The file is a little over 4MB and includes 15021 packets. From what I
> understand, only packets that fired against a rule are in there. Is
> this true? My concern is that when I run snort against the file, I get
> 500 alerts. As part of this, when I run it in binary output mode, I
> get a binary log file that's about 600kB and includes 500 packets!
> What's the deal with the remaining 3.4MB worth of packets? Is it
> possible that these are the result of custom rules that I'm not aware
> of? I have all of the rules turned on, on my snort, although I haven't
> messed with the preprocessors.
Grin. I'd suggest that you DO mess with the preprocessors. See http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00018.html
Re the custom rules, dont worry, there are apparently some in the rulebase, but not all that many. If you're curious :-), you can try to extract the packets logged as result of custom rules:
- disable the preprocessors as suggested above
- pipe the original file through snort, writing out the results in binary
- read the original file and the resulting binary with tcpdump and write the results (human readable ascii) into two text files
- do a diff on the text files
This will leave you with only those packets that were caught by the custom ruleset, but did not trigger an alert in YOUR snort instance. Doing this can be a neat exercise, because chances are small that other students have analyzed these packets before :-)
Good luck
-daniel gcia gcfa
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list