|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: waldo kitty (wkitty42
windstream.net)
Date: Tue Aug 17 2010 - 13:57:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 8/16/2010 10:30, Ryan Jordan wrote:
>> [quote] Note that Snort will not try to determine whether the files under that
>> directory are really pcap files or not. [/quote]
>
> This means that your directory better have pcap files in it, because
> Snort's going to try and load them as pcaps! :) Perhaps this is
> something we can make a little more clear.
i would say so because i read it that snort wouldn't care in this case if they
are pcaps or plain text/binary files... i mean, heck, "i" just want to create a
file of "aaaaABCxEFGaaaa" and feed it to snort to see if that rule fires based
on that string ;)
> When I'm testing rules or things I've developed, I typically use Scapy
> to craft pcaps. At one point, I used the following setup for more
> rapid (but less repeatable!) testing:
>
> Get 2 hosts. I used my workstation and a VM. On one end, named
> "foobar", run netcat in listen mode:
> [ryanfoobar]$ nc -l -p 5555
>
> On the other end, connect with netcat:
> [ryansnortdev]$ nc foobar 5555
>
> On the client's end, I ran Snort with my rules to test. I used a BPF
> to get only this traffic:
> [ryansnortdev]$ snort -c testing.conf -i eth0 -F my_bpf.txt -A cmg -k none
>
> The contents of my BPF:
> [ryansnortdev]$ cat my_bpf.txt
> host foobar and port 5555
>
> Finally, I can just type stuff into my netcat window and watch the
> alerts pop up in my Snort window.
>
> I found this to be useful when I was debugging some pattern matcher
> weirdness in the Sensitive Data preprocessor. This approach is less
> useful if you want to save your tests and script them up to be run
> later -- pcaps are great for this.
>
> You'll also run into trouble if you want to test a more complex
> protocol than raw text over TCP, but we'll save that for another day.
> :)
thanks for that... i'm sure it will be helpful to some... sadly, though, it made
my eyes cross and i had to use sandpaper on them to be able to write this :?
getting old too soon and too fast :(
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]