Snort (post-dissector)

The Snort post-dissector can show which packets from a pcap file match snort alerts, and where content or pcre fields match within the payload.

It does this by parsing the rules from the snort config, then running each packet from a pcap file through snort and recording the alerts emitted. There is also support for reading alerts that have been written to packet comments in the format used by TraceWrangler (see this blog post).

History

The post-dissector began as a 2011 Google Summer of Code project - see https://honeynet.org/node/790

This presentation, from Sharkfest EU 2016, discusses the post-dissector, and how it may be used. Some portions of it are now out of date.

Protocol dependencies

Snort rules often specify that they should only match over TCP, UDP or ICMP.

Wireshark

The Snort dissector is functional, and has been tested with various versions of Snort 2.9.x.y. It has been tested under linux, but not yet Windows.

Preference Settings

Example capture file

Capture files will only result in Snort alerts if the configuration and rules will result in alert signatures matching the packets.

However, if the freely available Talos and Emerging-threats rules are used, there are some capture files that result in alerts being detected.

TODO: find examples from Laura's lab kit and wiki captures that result in interesting alerts.

It is also possible to create artificial alerts from configuration and rules - this was done using rule2alert.py. TODO: give links to tool + patches + upload capture file taken over free rule sets

Display Filter

A complete list of Snort display filter fields can be found in the display filter reference

Capture Filter

You cannot directly filter for the Snort protocol while capturing. However, if a simple configuration and set of rules are being used, it may be possible to limit by IP ranges (e.g. matching $HOME_NET), transport protocol or port numbers.

Discussion

The post-dissector is useful as it is, but some limitations are:

Snort (last edited 2017-08-29 07:15:05 by MartinMathieson)