Re: "Saving State" in Snort

[Chris Green <cmg () sourcefire com>]

"Michael L. Artz" <dragon () october29 net> writes:

> Chris Green wrote:
>
> > Finally a use for reading in off stdin
> >
> > (for i in *.cap.gz| do gzip -dc $i; done) | snort -r -  <args>
>
> This seems to fail for me on the "breaks" between files with the error:
>
> pcap_loop:  truncated dump file
>
> I assume that this has to do with the little header that tcpdump adds
> to the beginning of each file, i.e. I can mergecap them and run them
> through just fine.  Is there something that I am missing beyond 'cat
> *.pcap | snort -r -'?  Would a newer libpcap solve the problem?

Nah, I just saw a mailing list reply from Guy Harris over on the
tcpdump works mailing list that uses something more akin to

(COUNTER=0;
 for i in *.cap.gz;
 do
    if [ COUNTER -eq 0 ];
        gzip -dc $i
        COUNTER=1;
    else
        gzip -dc $i | dd bs=24 count=0 skip=1
    fi
 done) | snort -r -

> Snort 1.9.1, fairly stock RH8.0.
>
> -Mike
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Chris Green <cmg () sourcefire com>
Laugh and the world laughs with you, snore and you sleep alone.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users