Snort Analyser
First select your Wireshark trace:
Trace name: /log/bit.zip
Snort Output
Click here for the Pcap file. The Snort output is:
alert.ids: [**] [1:1100010:1] P2P .torrent metafile [**] [Priority: 0] 07/03-07:54:06.930000 213.122.214.127:3868 -> 69.44.153.178:2710 TCP TTL:128 TOS:0x0 ID:21834 IpLen:20 DgmLen:404 DF ***AP*** Seq: 0xE9A59016 Ack: 0xED0BC172 Win: 0x2238 TcpLen: 20 [**] [1:1100010:1] P2P .torrent metafile [**] [Priority: 0] 07/03-07:54:42.551000 213.122.214.127:3904 -> 69.44.153.178:2710 TCP TTL:128 TOS:0x0 ID:22748 IpLen:20 DgmLen:390 DF ***AP*** Seq: 0xEA47AA16 Ack: 0xEE93DF8E Win: 0x2238 TcpLen: 20 |
Rules file
alert tcp any any -> any any (msg: "P2P .torrent metafile"; content:"HTTP/"; content:".torrent"; sid:1100010; rev:1;)
Examples
You can use Snort as a stand-alone analyser using the "-r" option. The following are the traces that can be used in Snort:
- Trace with Hydra FTP crack/Bad Login: here Test.
- Trace with Hydra Telnet crack: here Test.
- Trace with Port Scan: here Test.
- Trace with SYN Flood (DoS): here Test.
- Trace with FIN Flood (DoS): here Test.
- Trace with PDF file: here Test.
- Trace with GIF file: here Test.
- Trace with PNG file: here Test.
- Trace with email attachments (MIME): here Test.
- Trace with email addresses: here Test.
- Trace with credit card details: here Test.
- Trace with DNS: here Test.
- Trace with Ping sweep: here Test.
- Trace with SNMP: here Test.
- Trace with ARP Spoof: here Test.
- Trace with Heartbleed: here Test.
- Teardrop DoS: here Test.
- Bittorrent: here Test.