How do I use a Snort rule to search or filter PCAP in Wireshark?
I'd like to be able to replay PCAP files that I've downloaded from our PCAP monitoring solution and use custom Snort rules to identify any traffic that matches. My typical workflow is to identify suspicious traffic in Netwitness, then download the PCAP to open it with Wireshark for deeper analysis. It would make things really easy if I knew a way to load custom Snort rules in to Wireshark. Or, is there a way to convert a Snort rule in to a query in Wireshark?
If it helps, here is an example of a Snort rule that I would use:
alert tcp any any -> any any ( msg:" APT_SOGU_WD"; flow:established,to_server; content:"POST"; depth:4; content:"?wd="; content:"HTTP/1."; distance:0; content:"xdebug:"; content:"x-request:"; content:"x-content:"; content:"x-storage:"; pcre:"/\?wd=[a-f0-9]{8}/Ui"; sid:9999999;) pcre:"/\?wd=[a-f0-9]{8}/Ui"; sid:9999999;)
Comments
Have you looked at the Snort (post-dissector)?
There is no way to automatically/reliably convert a snort rule directly into a Wireshark display filter. But with the Snort post-dissector, if you are running linux and have a working snort installation/config on the same machine, you should be able to configure snort with the rules of interest, then see which frames in Wireshark the alerts were triggered on (display filter 'snort').
It should also highlight where in the frame it thinks the content and pcre fields matched.
I did see that some had posted about this in here. Unfortunately, I’m restricted to using a Windows 10 terminal so a Linux solution won’t work for me. I should have stated that up front.
Is WSL/WSL2 an option? There has been some work on this in the Snort lists.