Also available are "From running Snort", and "From User Comments" (as written by TraceWrangler). The author has not tried running it on a Mac. It does not currently work under Windows (see note in Discussion section below). It has been tested under linux (where it works, but may need to be run as root). The Snort dissector is functional, and has been tested with various versions of Snort 2.9.x.y. Snort rules often specify that they should only match over TCP, UDP or ICMP. This presentation, from Sharkfest EU 2016, discusses the post-dissector, and how it may be used. The post-dissector began as a 2011 Google Summer of Code project - see
There is also support for reading alerts that have been written to packet comments in the format used by TraceWrangler (see this blog post). It does this by parsing the rules from the snort config, then running each packet from a pcap file (or pcapng if snort is build with a recent version of libpcap) through Snort and recording the alerts emitted. The Snort post-dissector can show which packets from a pcap file match snort alerts, and where content or pcre fields match within the payload.
0 kommentar(er)
