I currently have the following, presumably standard, setup: I have a physical server with Snort running. Snort logs into its log files as it should. Those files are tracked by barnyard2 which writes the traffic to a database for Snorby.
Snort and barnyard2 are started as a systemd service. Now besides the ongoing analysis of network traffic by Snort, I want to read pcap files from a different source about every hour, applying my Snort rules to them.
Fortunately, snort provides this feature directly. However, using snort -r foo.pcap starts a new instance of Snort, which of course results in a new logfile. Barnyard2 recognizes this new log file and handles the data from the pcap as expected => the rules are fine and work for the pcap traffic. However, traffic from the Snort instance running as a service is still written into the old file and barnyard2 is not handling these packets due to the newer logfile being present.
In order to avoid this, I'm now trying to use tcpreplay to replay the pcap to my external interface, so that the Snort service can handle the packets like any other traffic. Unfortunately, Snort doesn't match on any packets if they are replayed this way. The rules working via snort -r should prove that they are correct.
Do I have to rewrite anything like MAC addresses when using tcpreplay? It may be worth mentioning that I had to recompile Snort with the --enable-non-ether-decoders parameter for it to be able to read the pcap traffic.
