Ask Your Question

Revision history [back]

How do I use a Snort rule to search or filter PCAP in Wireshark?

I'd like to be able to replay PCAP files that I've downloaded from our PCAP monitoring solution and use custom Snort rules to identify any traffic that matches. My typical workflow is to identify suspicious traffic in Netwitness, then download the PCAP to open it with Wireshark for deeper analysis. It would make things really easy if I knew a way to load custom Snort rules in to Wireshark. Or, is there a way to convert a Snort rule in to a query in Wireshark?

If it helps, here is an example of a Snort rule that I would use:

alert tcp any any -> any any ( msg:" APT_SOGU_WD"; flow:established,to_server; content:"POST"; depth:4; content:"?wd="; content:"HTTP/1."; distance:0; content:"xdebug:"; content:"x-request:"; content:"x-content:"; content:"x-storage:"; pcre:"/\?wd=[a-f0-9]{8}/Ui"; sid:9999999;) pcre:"/\?wd=[a-f0-9]{8}/Ui"; sid:9999999;)