The Snort post-dissector can show which packets from a pcap file match snort alerts, and where content or pcre fields match within the payload.
It does this by parsing the rules from the snort config, then running each packet from a pcap file through snort and recording the alerts emitted. There is also support for reading alerts that have been written to packet comments in the format used by TraceWrangler (see this blog post).
The post-dissector began as a 2011 Google Summer of Code project - see https://honeynet.org/node/790
This presentation, from Sharkfest EU 2016, discusses the post-dissector, and how it may be used. Some portions of it are now out of date.
The Snort dissector is functional, and has been tested with various versions of Snort 2.9.x.y. It has been tested under linux, but not yet Windows.
Source of Snort alerts. Defaults to "From Nowhere". Also available are "From running Snort", and "From User Comments" (as written by TraceWrangler).
- The name of the Snort binary file to run. This includes the path, and defaults to usual Unix or Windows default.
- Configuration filename. The path and configuration file loaded by Snort using the -c option. Defaults to usual platform defaults. Filename is usually snort.conf
- Show rule stats in protocol tree. When enabled, will show as generated fields stats for rules and alerts found inside any Snort subtrees. Default FALSE.
- Show alerts in expert info. Default FALSE.
- Try to show alerts in reassembled frames. Rather than showing the alert in the frame where it was detected, if it was a TCP segment that is later reassembled into an upper-level PDU, show the alert in that frame instead. Default FALSE.
Example capture file
Capture files will only result in Snort alerts if the configuration and rules will result in alert signatures matching the packets.
However, if the freely available Talos and Emerging-threats rules are used, there are some capture files that result in alerts being detected.
TODO: find examples from Laura's lab kit and wiki captures that result in interesting alerts.
It is also possible to create artificial alerts from configuration and rules - this was done using rule2alert.py. TODO: give links to tool + patches + upload capture file taken over free rule sets
A complete list of Snort display filter fields can be found in the display filter reference
Show only the Snort based traffic:
You cannot directly filter for the Snort protocol while capturing. However, if a simple configuration and set of rules are being used, it may be possible to limit by IP ranges (e.g. matching $HOME_NET), transport protocol or port numbers.
The snort project is here
For generating capture files from rules, rule2alert may be useful. While testing with standard rules, a couple of simple patches were needed.
The post-dissector is useful as it is, but some limitations are:
- Hasn't been successfully tested on Windows - a quick test suggests maybe the config parsing failed, will try to resolve soon
- Have not tried to using while live capturing..
- Not tested with Snort 3
- Have not tried to make it work with Suricata