Snort mailing list archives
Re: multiple files off of stdin?
From: Phil Wood <cpw () lanl gov>
Date: Sat, 19 Apr 2003 10:41:08 -0600
I cannot think of any reason to run snort just once. Why not: ls *.pcap | while read f; do snort -r $f ... other args done I've done this on many occasion (using mysql/acid) to populate an acid web page. On Sat, Apr 19, 2003 at 10:54:24AM -0400, Michael L. Artz wrote:
Don't know if the last message got through, sorry if this is a dup ... Anyway, is there a way to have snort process multiple files off of stdin? I.e. cat file1.pcap file2.pcap | snort -r - <other args> fails just before processing file2 with the error: "pcap_loop: truncated dump file", which I assume has to do with the little header that libpcap formatted files have at the beginning. I can mergecap the files and run them through fine, it is only when I try and run multiple pcap files through, in a fashion such as: (for i in *.cap.gz| do gzip -dc $i; done) | snort -r - <args> which I can't easily mergecap because of space issues. Plus, I have the files spread across multiple DVDs and would like to have a little script that creates a snort pipe and then pumps pcap files to it, which could be written so that snort (and all session and reassembly information) survives a change of dvd. Thanks -Mike ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- multiple files off of stdin? Michael L. Artz (Apr 19)
- Re: multiple files off of stdin? Phil Wood (Apr 19)
- Re: multiple files off of stdin? Michael L. Artz (Apr 19)
- Re: multiple files off of stdin? Chris Green (Apr 23)
- Re: multiple files off of stdin? Phil Wood (Apr 19)