Re: snortsnarf

[James Hoagland <hoagland () SiliconDefense com>]

Hi Russ,

I figured a late response is better than no response, so here goes...

At 3:00 PM -0500 7/3/01, root wrote:
> well, this is what i'd like.... snortsnarff to work :P
>
>
> i've downloaded it- installed it- and have ran it.... but it doesnt do the
> analysis efficiently.
>
>
> i have all the logs to snort being dumped to another location other than
> /var/log/snort
>
>
> and snortsnarff doesnt want to do analysis of a single directory and then
> all of the recursive files and directories within. under it's current
> condition i have to manually enter all of the files into snortsnarff when
> im looking for an automated process.
>
> any help would be appreciated.

If I understand you correctly, you are trying to feed SnortSnarf your 
log files (i.e., the file with port numbers in the names inside 
directories named after IP addresses).  This is not the input that 
SnortSnarf is set up for.  Instead you will need to give it your 
alert file (e.g., produced by -A, either fast or full), or your 
syslog file (if you use -s or the config file equivalent).

Hope this helps,

  Jim

--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*              http://www.silicondefense.com/              *|
|*      Silicon Defense - Technical Support for Snort       *|
|*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users