I'm learning to use snort by myself and I can't figure out if I'm generating alerts from a file well.
The rules i have in local.rules are:
alert icmp any any -> any any (msg:"Testing ICMP"; sid:1000001;)
alert tcp any any -> any any (msg:"Testing TCP"; sid:1000002;)
alert udp any any -> any any (msg:"Testing UDP"; sid:1000003;)
The command I use is this:
snort -c E:\Snort\etc\snort.conf -A fast -r pcap_to_use.pcap
What I get in the E:\Snort\log folder are these files:
- alert.ids
- alert.ids.xxxxxxxxxx
- alert.ids.yyyyyyyyyy
- ...
- snort.log.zzzzzzzzzz
- snort.log.wwwwwwwwww
- ...
I thought that for each packets present in the pcap a line was generated in the alert.ids file but this is not the case.
How do I use these obtained files, especially the classification, for analysis? I need to extract the classification to train a neural network.
