I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to burden the router with inline analysis of 20 Mbps traffic). Apparently snort provides a -r
option for this purpose, but I can't get the analysis to run.
The analysis system is gentoo, amd64, in case that makes any difference. I've already used oinkmaster to download the latest IDS signatures. But when I try to run snort, I keep getting the following error:
% snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.0.3 IPv6 GRE (Build 98) x86_64-linux
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.11 2010-12-10
Using ZLIB version: 1.2.5
%> snort -v -r jan21-for-snort.cap -c /etc/snort/snort.conf -l ~/snortlog/
(snip)
273 out of 1024 flowbits in use.
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format : Full-Q
| Finite Automaton : DFA
| Alphabet Size : 256 Chars
| Sizeof State : Variable (1,2,4 bytes)
| Instances : 314
| 1 byte states : 304
| 2 byte states : 10
| 4 byte states : 0
| Characters : 69371
| States : 58631
| Transitions : 3471623
| State Density : 23.1%
| Patterns : 3020
| Match States : 2934
| Memory (MB) : 29.66
| Patterns : 0.36
| Match Lists : 0.77
| DFA
| 1 byte states : 1.37
| 2 byte states : 26.59
| 4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 563 ]
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..
net-libs/daq is installed, but I don't even want to capture traffic, I just want to process the capture file.
What configuration options should I be setting/unsetting in order to do offline analysis instead of real-time capture?
I am not familiar with Gentoo specifically but you could try using the "--daq-list" flag to see what (if any) DAQ modules Snort sees.
e.g:
Then use the "--daq-dir " flag to point Snort to the directory containing the DAQ libraries.
I'm not entirely sure what the fix is, but it may be related to the USE flags specified to compile snort. This is reported in the following POST The post I think also contains a temporary solution.
I would suggest using another distro/windows, or to go ask in the Gentoo forums about build problems with Snort.
I always do this:
Create a virtual NIC
I put this into a bash script make it executable (chmod +x script.sh) and execute it:
Replay the traffic
Get
tcpreplay
and do:Capture the traffic
Make snort sniff: