snort analysis of wireshark capture

Question

I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to burden the router with inline analysis of 20 Mbps traffic). Apparently snort provides a -r option for this purpose, but I can't get the analysis to run.

The analysis system is gentoo, amd64, in case that makes any difference. I've already used oinkmaster to download the latest IDS signatures. But when I try to run snort, I keep getting the following error:

% snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.3 IPv6 GRE (Build 98) x86_64-linux
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.11 2010-12-10
           Using ZLIB version: 1.2.5

%> snort -v -r jan21-for-snort.cap -c /etc/snort/snort.conf -l ~/snortlog/

(snip)

273 out of 1024 flowbits in use.

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 314
|     1 byte states : 304
|     2 byte states : 10
|     4 byte states : 0
| Characters        : 69371
| States            : 58631
| Transitions       : 3471623
| State Density     : 23.1%
| Patterns          : 3020
| Match States      : 2934
| Memory (MB)       : 29.66
|   Patterns        : 0.36
|   Match Lists     : 0.77
|   DFA
|     1 byte states : 1.37
|     2 byte states : 26.59
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 563 ]
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..

net-libs/daq is installed, but I don't even want to capture traffic, I just want to process the capture file.

What configuration options should I be setting/unsetting in order to do offline analysis instead of real-time capture?

Answer 1

I am not familiar with Gentoo specifically but you could try using the "--daq-list" flag to see what (if any) DAQ modules Snort sees.

e.g:

# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

Then use the "--daq-dir " flag to point Snort to the directory containing the DAQ libraries.

snort -v -r jan21-for-snort.cap -c /etc/snort/snort.conf -l ~/snortlog/ --daq-dir /usr/local/lib/daq/

Answer 2

I'm not entirely sure what the fix is, but it may be related to the USE flags specified to compile snort. This is reported in the following POST The post I think also contains a temporary solution.

I would suggest using another distro/windows, or to go ask in the Gentoo forums about build problems with Snort.

Answer 3

I always do this:

1. Create a virtual NIC eth10
2. Replay the traffic on eth10
3. Capture the traffic on eth10

Create a virtual NIC

I put this into a bash script make it executable (chmod +x script.sh) and execute it:

#!/usr/bin/env bash

modprobe dummy
lsmod | grep dummy
ip link set name eth10 dev dummy0
ip link show eth10
ifconfig eth10 hw ether 00:22:22:ff:ff:ff
ip link show eth10
ip addr add 192.168.100.199/24 brd + dev eth10 label eth10:0
ifconfig eth10 up
ifconfig eth10 promisc

Replay the traffic

Get tcpreplay and do:

sudo tcpreplay -i eth10 -T nano mypcap.pcap

Capture the traffic

Make snort sniff:

sudo snort -i eth10 -u snort -g snort -c /etc/snort/snort.conf