How do I use a Snort rule to search or filter PCAP in Wireshark?

asked 2021-04-08 20:10:14 +0000

ducko_24 gravatar image

I'd like to be able to replay PCAP files that I've downloaded from our PCAP monitoring solution and use custom Snort rules to identify any traffic that matches. My typical workflow is to identify suspicious traffic in Netwitness, then download the PCAP to open it with Wireshark for deeper analysis. It would make things really easy if I knew a way to load custom Snort rules in to Wireshark. Or, is there a way to convert a Snort rule in to a query in Wireshark?

If it helps, here is an example of a Snort rule that I would use:

alert tcp any any -> any any ( msg:" APT_SOGU_WD"; flow:established,to_server; content:"POST"; depth:4; content:"?wd="; content:"HTTP/1."; distance:0; content:"xdebug:"; content:"x-request:"; content:"x-content:"; content:"x-storage:"; pcre:"/\?wd=[a-f0-9]{8}/Ui"; sid:9999999;) pcre:"/\?wd=[a-f0-9]{8}/Ui"; sid:9999999;)

edit retag flag offensive close merge delete

Comments

Have you looked at the Snort (post-dissector)?

Chuckc gravatar imageChuckc ( 2021-04-08 20:49:38 +0000 )edit

There is no way to automatically/reliably convert a snort rule directly into a Wireshark display filter. But with the Snort post-dissector, if you are running linux and have a working snort installation/config on the same machine, you should be able to configure snort with the rules of interest, then see which frames in Wireshark the alerts were triggered on (display filter 'snort').

It should also highlight where in the frame it thinks the content and pcre fields matched.

MartinM gravatar imageMartinM ( 2021-04-09 08:12:23 +0000 )edit

I did see that some had posted about this in here. Unfortunately, I’m restricted to using a Windows 10 terminal so a Linux solution won’t work for me. I should have stated that up front.

ducko_24 gravatar imageducko_24 ( 2021-04-13 11:56:15 +0000 )edit

Is WSL/WSL2 an option? There has been some work on this in the Snort lists.

Chuckc gravatar imageChuckc ( 2021-04-13 13:41:17 +0000 )edit