Snort analysis of wireshark capture

pcapsnort

I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to burden the router with inline analysis of 20 Mbps traffic). Apparently snort provides a -r option for this purpose, but I can't get the analysis to run.

The analysis system is gentoo, amd64, in case that makes any difference. I've already used oinkmaster to download the latest IDS signatures. But when I try to run snort, I keep getting the following error:

% snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.3 IPv6 GRE (Build 98) x86_64-linux
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.11 2010-12-10
           Using ZLIB version: 1.2.5

%> snort -v -r jan21-for-snort.cap -c /etc/snort/snort.conf -l ~/snortlog/

(snip)

273 out of 1024 flowbits in use.

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 314
|     1 byte states : 304
|     2 byte states : 10
|     4 byte states : 0
| Characters        : 69371
| States            : 58631
| Transitions       : 3471623
| State Density     : 23.1%
| Patterns          : 3020
| Match States      : 2934
| Memory (MB)       : 29.66
|   Patterns        : 0.36
|   Match Lists     : 0.77
|   DFA
|     1 byte states : 1.37
|     2 byte states : 26.59
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 563 ]
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..

net-libs/daq is installed, but I don't even want to capture traffic, I just want to process the capture file.

What configuration options should I be setting/unsetting in order to do offline analysis instead of real-time capture?

Best Answer

I am not familiar with Gentoo specifically but you could try using the "--daq-list" flag to see what (if any) DAQ modules Snort sees.

e.g:

# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

Then use the "--daq-dir " flag to point Snort to the directory containing the DAQ libraries.

snort -v -r jan21-for-snort.cap -c /etc/snort/snort.conf -l ~/snortlog/ --daq-dir /usr/local/lib/daq/
Related Topic