Snort Analyser
First select your Wireshark trace:
Trace name: /log/with_swf.zip
Snort Output
Click here for the Pcap file. The Snort output is:
alert.ids: [**] [1:10008:0] Flash Video [**] [Priority: 0] 11/18-21:18:13.302063 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3344 IpLen:20 DgmLen:1440 ***AP*** Seq: 0x9EC9105C Ack: 0x5D229AB9 Win: 0xFAF0 TcpLen: 20 [**] [1:10001:0] PDF [**] [Priority: 0] 11/18-21:18:16.938836 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3382 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9EC942F7 Ack: 0x5D229F03 Win: 0xFAF0 TcpLen: 20 [**] [1:10005:0] MP3 [**] [Priority: 0] 11/18-21:18:16.938837 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3383 IpLen:20 DgmLen:1476 ***AP*** Seq: 0x9EC948AB Ack: 0x5D229F03 Win: 0xFAF0 TcpLen: 20 [**] [1:10006:0] AVI [**] [Priority: 0] 11/18-21:18:16.939868 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3384 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9EC94E47 Ack: 0x5D229F03 Win: 0xFAF0 TcpLen: 20 [**] [1:10008:0] Flash Video [**] [Priority: 0] 11/18-21:18:16.939868 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3384 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9EC94E47 Ack: 0x5D229F03 Win: 0xFAF0 TcpLen: 20 [**] [1:10007:0] Flash SWF [**] [Priority: 0] 11/18-21:18:16.939868 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3384 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9EC94E47 Ack: 0x5D229F03 Win: 0xFAF0 TcpLen: 20 [**] [1:10001:0] PDF [**] [Priority: 0] 11/18-21:18:16.939910 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3386 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9EC959AF Ack: 0x5D229F03 Win: 0xFAF0 TcpLen: 20 [**] [1:10000:0] GIF [**] [Priority: 0] 11/18-21:18:16.939912 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3388 IpLen:20 DgmLen:1440 ***AP*** Seq: 0x9EC96517 Ack: 0x5D229F03 Win: 0xFAF0 TcpLen: 20 [**] [1:10001:0] PDF [**] [Priority: 0] 11/18-21:18:16.939912 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3388 IpLen:20 DgmLen:1440 ***AP*** Seq: 0x9EC96517 Ack: 0x5D229F03 Win: 0xFAF0 TcpLen: 20 [**] [1:10007:0] Flash SWF [**] [Priority: 0] 11/18-21:18:20.985192 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3417 IpLen:20 DgmLen:1476 ***AP*** Seq: 0x9EC988FD Ack: 0x5D22A351 Win: 0xFAF0 TcpLen: 20 [**] [1:10002:0] PNG [**] [Priority: 0] 11/18-21:18:21.078888 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3432 IpLen:20 DgmLen:1488 ***AP*** Seq: 0x9EC99A97 Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 [**] [1:10004:0] JPEG [**] [Priority: 0] 11/18-21:18:21.079997 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3449 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9EC9FAD7 Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 [**] [1:10004:0] JPEG [**] [Priority: 0] 11/18-21:18:21.081295 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3459 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9ECA3373 Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 [**] [1:10004:0] JPEG [**] [Priority: 0] 11/18-21:18:21.124820 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3486 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9ECABB87 Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 [**] [1:10004:0] JPEG [**] [Priority: 0] 11/18-21:18:21.149107 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3546 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9ECBD2FB Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 [**] [1:10004:0] JPEG [**] [Priority: 0] 11/18-21:18:21.149107 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3548 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9ECBDE63 Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 [**] [1:10004:0] JPEG [**] [Priority: 0] 11/18-21:18:21.149110 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3555 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9ECC064F Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 [**] [1:10004:0] JPEG [**] [Priority: 0] 11/18-21:18:21.170613 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3597 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9ECCE85B Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 [**] [1:10004:0] JPEG [**] [Priority: 0] 11/18-21:18:21.191091 212.227.84.95:80 -> 172.16.121.162:8097 TCP TTL:128 TOS:0x0 ID:3640 IpLen:20 DgmLen:1500 ***A**** Seq: 0x9ECDDBAB Ack: 0x5D22A56C Win: 0xFAF0 TcpLen: 20 |
Rules file
# Signature Detection alert tcp any any -> any any (content:"GIF89a"; msg:"GIF";sid:10000) alert tcp any any -> any any (content:"%PDF"; msg:"PDF";sid:10001) alert tcp any any -> any any (content:"|89 50 4E 47|"; msg:"PNG";sid:10002) alert tcp any any -> any any (content:"|50 4B 03 04|"; msg:"ZIP";sid:10003) alert tcp any any -> any any (content:"|FF D8|"; msg:"JPEG";sid:10004) alert tcp any any -> any any (content:"|49 44 33|"; msg:"MP3";sid:10005) alert tcp any any -> any any (content:"|52 49 46 46|"; msg:"AVI";sid:10006) alert tcp any any -> any any (content:"|46 57 53|"; msg:"Flash SWF";sid:10007) alert tcp any any -> any any (content:"|46 4C 56|"; msg:"Flash Video";sid:10008) alert tcp any any -> any any (content:"|1F 8B 08|"; msg:"GZip";sid:10009) alert tcp any any -> any any (content:"|52 61 72 21 1A 07 00|"; msg:"RAR";sid:10010) alert tcp any any -> any any (content:"|D0 CF 11 E0 A1 B1 1A E1|"; msg:"Office 2010";sid:10011)
Examples
You can use Snort as a stand-alone analyser using the "-r" option. The following are the traces that can be used in Snort:
- Trace with Hydra FTP crack/Bad Login: here Test.
- Trace with Hydra Telnet crack: here Test.
- Trace with Port Scan: here Test.
- Trace with SYN Flood (DoS): here Test.
- Trace with FIN Flood (DoS): here Test.
- Trace with PDF file: here Test.
- Trace with GIF file: here Test.
- Trace with PNG file: here Test.
- Trace with email attachments (MIME): here Test.
- Trace with email addresses: here Test.
- Trace with credit card details: here Test.
- Trace with DNS: here Test.
- Trace with Ping sweep: here Test.
- Trace with SNMP: here Test.
- Trace with ARP Spoof: here Test.
- Trace with Heartbleed: here Test.
- Teardrop DoS: here Test.
- Bittorrent: here Test.