Packet analysis tools and methodology (Part 2)

If you would like to see the other articles in this series please read

Tools of the trade

We left off in part one having gone over some key information, as it pertains to computer security. That being port scans, and their various types. The list we covered in part one was not an exhaustive one by any means, but it introduced you to some of the more common ones. To that end I would encourage you to explore some of the more advanced scanning methods such as; fragmented packet scanning, ftp bounce, dumb host, and others that are very much in use today. Realistically only your imagination plus knowledge of TCP/IP restrict you in the search for new and improved scanning techniques.

With that behind us, where do we go from here in an effort to secure our computing assets? Well there is a plethora of free tools on the web today thankfully. They can help you keep a sharp eye on the flow of information both to, and from your computer. Just as I mentioned in the first part, most security tools had their origin in linux but have since been ported to win32. Once the successful migration of tools began, the savvy programmer began to adopt various new strategies. Notably, why program a tool that is reliant on a particular operating system? It is far more beneficial to program tools in a language that is portable. Languages such as PERL and Python come readily to mind. One such tool that we will look at today is snortsnarf, which was written in PERL. In addition to snortsnarf we will also look at snort and windump. These tools can form the basis for a powerful analysis suite. Though using these tools will entail installing them, but that is not a difficult task! That being said, for those among you who would prefer not having to install a variety of packages, I would recommend you use Eagle X. Using this freeware tool will save you the aggravation of installing Apache, PHP, MySQL, and ACID, amongst other programs, if you are not yet comfortable with this type of work.

I personally recommend using snortsnarf, as it really is a nice program. Though if you are parsing large snort alert.ids files through it, be aware that it is a RAM pig. Then again though, apart from doing your GCIA certification, you probably won’t be parsing through such large files where the RAM, or amount of it, becomes an issue. With that caveat out of the way I will walk you through the installation of snortsnarf on win32. Should you wish to do this in linux as well, there is an installation guide here.

Resolving dependencies

So first off, if you don’t have PERL installed on your computer, I would suggest you surf on over to here and download a 5.6.1 release. Snortsnarf will not play with 5.8.x so you are stuck using the aforementioned 5.6.1 build. Once you have registered, simply double click on the msi and follow the prompts. It is a pretty painless task. Now you will also have to download three time modules; JulianDay.pm, ParseDate.pm, and Timezone.pm These three are a must for snortsnarf to work properly. You can find all three of them here. Once you have downloaded all of these three you will need to install them as follows: c:\perl\lib\time\ 

That is all there is to install module wise for PERL. You will by now have downloaded snortsnarf and I would counsel you to install it at the root of c:\ drive itself. Just fire up your copy of winrar and open the compressed snortsnarf archive. When you have done that, just extract the snortsnarf folder to c:\ as mentioned earlier. With the above ready, you have finished installing snortsnarf. To confirm that it all works, perform the following command

C:\SnortSnarf-021111.1> snortsnarf -help

snortsnarf.pl { OPTION | FILE | user[:passwd][@dbname@host[:port] }
FILE is a text file containing snort alerts in full alert, fast alert, syslog,
 portscan log, or portscan2 log format
user[:passwd][@dbname]@host[:port] is a Snort database
OPTION is one of the following:
-d <dir> Set the output directory to <dir>
-win Run in windows mode (required on Windows)
-hiprioisworse Consider higher priority #’s to indicate higher priority
-cgidir <URL> Indicate that SnortSnarf’s CGI scripts are in <URL>, for links
-homenet <net> Match <net> to snort -h <net>.  For -ldir
-ldir <URL> Enable log linking; <URL> is base URL for the log files
-dns [<net>] Show hostnames for IPs, or only IPs in <net> (can be slow)
-rulesfile<file>Set base Snort rules to <file>. For sig. display and X-refs
-rulesdir <dir> Set current directory for rule files from -rulesfile
-rulesscanonce Save read Snort rules in memory.  Might save CPU
-db <path>Enable annotations; <path> is full path to ann. file from CGI














What you see above is a snippet of the output generated by invoking the help menu in snortsnarf. Now to actually run it with a snort generated “alert.ids” file you would perform the following;

C:\SnortSnarf-021111.1> snortsnarf -win -rs alert.ids

Please note that if you have not copied the alert.ids file over to your snortsnarf directory, you will have to put the full relative path for the alert.ids file.

Packet sniffers and XP SP2

Well we now have only two remaining things to install on our computer, and those would be snort and windump. You must not forget that to have windump work you will also need winpcap, which can be found at the same site. There have been issues noted if you are running Windows XP SP2. I have personally given up trying to get windump to work on the computer I have running XP SP2. Others have not had an issue with the latest XP service pack conflicting with windump. I would be interested to hear from you on this issue! Installing windump and winpcap is really quite simple, just follow the prompts. These programs should by default install to the root of c:\ but if not install them there.

So with those programs ready we can now install snort itself. This program is also quite painless to install as it comes with an msi. Simply double click it, and follow the prompts. This will also install to the root of c:\ by default. Once again with SP2 for XP I have had issues that I could not resolve, but others have. Please let me know how things went for you.

Snort is without a doubt one of the finest intrusion detection systems out there today. All this from an open source product no less! Many thanks to Marty Roesch and everyone else who has helped make Snort what it is today. There are many excellent tutorials out there on Snort usage so I won’t go into any great detail of it here. Suffice it to say that if all you want to do for now is get it up and running then perform the following:

Now that you have it installed, navigate via a DOS prompt to c:\snort\bin\ From there you can invoke snort.exe while writing the full relative path to the snort.conf file. Otherwise you will need to make some changes to the snort.conf file, which I would not advise until you are a bit more comfortable with it.

Now that all programs have been installed we will break the article here at this point. You will see further syntax usage for snort and snortsnarf in part three. So should you encounter any problems don’t worry as valid syntax for both programs will be shown. Till then!

If you would like to see the other articles in this series please read


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top