Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: I need some serious help

From: "Don" <Don () WeberOnTheWeb com>
Date: Tue, 11 Jun 2002 11:31:38 -0700
thats the problem, snort is setup for tcpdump, i cannot replay the dump
files, it gives an error, reading the files in an editor reveals there are a
number of codered scans, and apparently something in the code prevents the
playback, using the command line
snort -dr snort.log -c c:\extract\snort.conf -l c:\extract\log
snort is restarted daily, creating 0606 () 14-snort log 0607 () 14-snort log, and
so on, i copy the logs to/from a remote system and play them back to get the
alerts and log structure for parsing and investigation, these particular
files from just this system, when i go to rename them to snort.log for the
extraction process, it says in use, cannot be renamed, and the file then
self-deletes. weird i say.

Don


-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Tuesday, June 11, 2002 11:23 AM
To: Don
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] I need some serious help


On Tue, 11 Jun 2002, Don wrote:


I have some snort traffic that causes real problems with snort, and

reading

the logfile, it doesnt look good, it turns out that i cannot generate

alert

files from the tcpdump file, could someone with help me out directly here.



From the mind of Douglas Adams:  "Don't Panic" and "Always know where your

towel is."  :)

You need to turn on binary logging.  You can do that in two ways:

  1)  Adding "-b" to the command line
  2)  Adding "output log_tcpdump: snort.log" into your snort.conf file.

Now you've got the packets, what do you want to do with them?  Read/replay
them at your leisure?

        snort -vader <logfile>

Will dump them out to your screen.  Pipe to pager program of your choice and
read from there.

Hope that helps!

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________________________

Multimillion Dollar Computer Inventory
Live Webcast Auctions Thru Aug. 2002 - http://www.cowanalexander.com/calendar



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: