0

Hi im trying to use snort as an IDS on some pcap files I have, I was hoping I would get a log of any intrusions. I know for a fact that there is port scans and ping sweeps etc in the pcap files but when I try this command:

C:\Snort\bin> snort -r c:\snort\log\trace_part01.pcap -l c:\snort\log -c c:\snort\etc\snort.conf -K ascii

Nothing happens, I can log the the data like so:

snort -r c:\snort\log\trace_part01.pcap -l c:\snort\log -K ascii

Which structures all the files in there relevant ip folders and they have .ids as an extension.

Im new to using snort so not quite sure how I can just detect what intrusions are in the pcap files and output them in a file.

G Gr
  • 101
  • 1

1 Answers1

0

I suspect that the issue is with your snort.conf file.

Have you got the following line 

include $PREPROC_RULE_PATH/preprocessor.rules

uncommented? If not, uncomment the rule to enable it and try again forcing Snort to re-read the configuration file.

You may also need to ensure the following line in snort.conf is set to high but I'm not 100% sure that it'd be necessary - 

preprocessor sfportscan: proto { all } memcap { 1000000 } sense_level { high } scan_type { all }
Mark Hillick
  • 280
  • 1
  • 7