2014/07/17

How to setup SNORT to test CUSTOM rules against PCAP files in Windows

by InterDimensional_Shambler
Categories: Analysis, Network Forensics
Tags: ,
Comments: Leave a Comment

How to setup SNORT to test CUSTOM rules against PCAP files in Windows

This article will show you how to SETUP SNORT in Windows to test custom rules against a PCAP file.

Important Notes:

  1. PCAP Encapsulation type must be set to ether and the capture type should be set to libpcap.
  2. If you have wireshark you can run edit cap to convert a PCAP to meet this.
  3. I have a script that merges andconvertsPCAPs for you in the GIT REPO:
  4. Install SNORT to C:\Snort (NOT C:\Snort\Snort)
  5. For ease of use put your pcaps and run commands from C:\Snort\bin
  6. You might need to tweak your SNORT rules a bit to fit to your IDS (Not all SNORT parameters are the same or universally accepted)
  7. When matching on content you must escape the following characters ;\" by using this character \.

Files Required:

  • (Version Last Tested) Snort 2.9.4.1 Installer www.snort.org/downloads/2207
  • Rules Files You do not need these, but there are publicly available rulesets available www.snort.org/snort-rules.
  • SNORT_CONFIG.zip (Extract to C:\Snort folder) This file has two things you need:
    • CUSTOM.rules (Has some example rules commented out. This is where you will add your custom rules)
    • Snort.conf (This is the configuration file that has been altered to SCAN only with the custom rules file)

    Download SNORT_CONFIG.zip from here (Remove JPG extension and open with 7-zip) or extract 0x12BB – 0x331B

0x12BB - 0x331B
0x12BB – 0x331B

Installation Instructions:

Run SNORT Installer

Point Directory to C:\Snort

Select All Modules

Instructions on RUNNING (To test rules):

  • Put your PCAPs in the C:\Snort\bin folder
    • To edit your rules: C:\Snort\rules\CUSTOM.rules
  • Open command prompt as admin
    • Change to the folder where snort is located: cd C:\Snort\bin
    • Run the command below (Change NAMEOFPCAP):
    • snort -c C:\Snort\etc\snort.conf -K none -l C:\Snort\log -q -r NAMEOFPCAP.pcap
  • This command will TEST all of the rules in C:\snort\rules\CUSTOM.rules
  • This command will also tell you:
    • How many packets each rule matches on. (Each of your rules will be identified by SID)
    • It will show how many packets the rule looks through (Checks)(The more checks, the more processing each rule has)
    • It will show how many packets the rule Match & Alert on.
    • It will show how many microsecs each rule takes to run (You want to strive for ~100-200; also run this command about 5 times to get a good baseline it will take different amounts of time each run)

Log files are in C:\Snort\log\alert.ids
You can see which packets matched in the alert.ids file (Use the timestamp, or Sequence & Ack number to find the packet).
The config file is also set to DUMP the matched pcakets into a file in C:\Snort\log\. Just add the extension PCAP.

Testing Rules (for False Positives & Matches):

Grab a 1-5 minute PCAP for a system with a good baseline of network activity (Something to check false positives for)
If you DO have a sample of the bad traffic, make sure you test it and that it matches on it.


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Friday
2018/02/23