Replay 0.1

[Andreas Östling <andreaso () it su se>]

Hello,

"Replay" (don't really know what to call it) is a simple output system
for Snort that prints out the payloads using the same delay between the
packets as was seen on the wire.

Obviously only makes sense when reading a pcap file and usually making
sure that you only see a conversation between two hosts and nothing else.
If the pcap is good, you will get the feeling of seeing the conversation
in real-time (i.e. www.takedown.com-style, but more primitive).
So if you manage to log an entire intrusion to a tcpdump file, you can
then use Snort in replay mode and see the attacker's screen during the
intrusion (kind of). This can be very useful for post-processing some
large tcpdump files. It may also be useful for demonstrations, or even
more important, as a funny party trick.

It's just a very quick test-of-concept, so expect some weird results
sometimes. It has only been tested on OpenBSD and Linux.

Grab the tarball from http://nitzer.dhs.org/snort-replay/
and follow the README inside it for installation and usage instructions if you 
want to try it out. It also contains two sample pcap files to play with.

If anyone knows about a (free) tool that already does this kind of playback
of pcap files, please let me know so I don't have to continue reinventing
the wheel.

/Andreas



-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users