[Intrusions] Snort

Joel Esler esler at knology.net
Sat Oct 23 23:11:03 GMT 2004 

Another thing you have to remember is that some of the binary captures 
may have been caught by custom rules.  Also remember your "Flow" 
keywords in rules, since Snort cannot establish a "flow" (or a stream) 
the flow keyworded rules will not work.

Joel Esler, GCIA

On Oct 22, 2004, at 13:39, Buelna, Derek wrote:

>  Wow, I commented out the stream preprocessors and now I have 2842 
> alerts. Thanks Daniel, your response and your post 
> http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00018.html 
> were quite useful.
>
> -Derek
>
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Daniel 
> Wesemann
> Sent: Thursday, October 21, 2004 7:23 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] Snort
>
>
>> The file is a little over 4MB and includes 15021 packets. From what I
>> understand, only packets that fired against a rule are in there. Is
>> this true? My concern is that when I run snort against the file, I get
>> 500 alerts. As part of this, when I run it in binary output mode, I
>> get a binary log file that's about 600kB and includes 500 packets!
>> What's the deal with the remaining 3.4MB worth of packets? Is it
>> possible that these are the result of custom rules that I'm not aware
>> of? I have all of the rules turned on, on my snort, although I haven't
>> messed with the preprocessors.
>
> Grin. I'd suggest that you DO mess with the preprocessors. See 
> http://cert.uni-stuttgart.de/archive/intrusions/2003/01/msg00018.html
>
> Re the custom rules, dont worry, there are apparently some in the 
> rulebase, but not all that many. If you're curious :-), you can try to 
> extract the packets logged as result of custom rules:
>
> - disable the preprocessors as suggested above
> - pipe the original file through snort, writing out the results in 
> binary
> - read the original file and the resulting binary with tcpdump and 
> write the results (human readable ascii) into two text files
> - do a diff on the text files
>
> This will leave you with only those packets that were caught by the 
> custom ruleset, but did not trigger an alert in YOUR snort instance. 
> Doing this can be a neat exercise, because chances are small that 
> other students have analyzed these packets before :-)
>
> Good luck
> -daniel gcia gcfa
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list