Snort (post-dissector)

The Snort post-dissector can show which packets from a pcap file match snort alerts, and where content or pcre fields match within the payload.

It does this by parsing the rules from the snort config, then running each packet from a pcap file (or pcapng if snort is build with a recent version of libpcap) through Snort and recording the alerts emitted. There is also support for reading alerts that have been written to packet comments in the format used by TraceWrangler (see this blog post).

History

The post-dissector began as a 2011 Google Summer of Code project - see https://honeynet.org/node/790

This presentation, from Sharkfest EU 2016, discusses the post-dissector, and how it may be used. Some portions of it are now out of date.

Protocol dependencies

Snort rules often specify that they should only match over TCP, UDP or ICMP.

Wireshark

The Snort dissector is functional, and has been tested with various versions of Snort 2.9.x.y. It has been tested under linux (where it works, but may need to be run as root). It does not currently work under Windows (see note in Discussion section below). The author has not tried running it on a Mac.

Preference Settings

Example capture file

Capture files will only result in Snort alerts if the configuration and rules will result in alert signatures matching the packets.

However, if the freely available Emerging-threats or Talos rules are used, there are some capture files that result in alerts being detected.

TODO: find examples from Laura's lab kit and wiki captures that result in interesting alerts.

It is also possible to create artificial alerts from configuration and rules - this was done using rule2alert.py. TODO: give links to example capture files created from free rule sets.

Display Filter

A complete list of Snort display filter fields can be found in the display filter reference

Capture Filter

You cannot directly filter for the Snort protocol while capturing. However, if a simple configuration and set of rules are being used, it may be possible to limit by IP ranges (e.g. matching $HOME_NET), transport protocol or port numbers.

Discussion

The post-dissector is useful as it is, but some limitations are:

Snort (last edited 2018-10-30 13:36:28 by MartinMathieson)