Snort mailing list archives

Re: SNORT not saving pcap file

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 25 Oct 2012 20:45:39 -0400

On 10/25/2012 19:18, jtravlos () rsignia com wrote:

When I do the command, a file shows up in the folder, but then disappears when I
stop SNORT.


"a file"?? what file? what is the name?

It appears when I use snort.conf, it won't save the file.


this sounds like possibly some kind of clean up from your script that executes 
snort... more info is needed :/


    *From:* Joel Esler [mailto:jesler () sourcefire com]
    *Sent:* Thursday, October 25, 2012 03:18 PM
    *To:* jtravlos () rsignia com
    *Cc:* snort-users () lists sourceforge net
    *Subject:* Re: [Snort-users] SNORT not saving pcap file

    Your command line is overriding your .conf

    Try

    ./snort -i dag0:0 -c /etc/snort.snort.conf

    --
    *Joel Esler*
    Senior Research Engineer, VRT
    OpenSource Community Manager
    Sourcefire

    On Oct 25, 2012, at 2:54 PM, jtravlos () rsignia com
    <mailto:jtravlos () rsignia com> wrote:

    I'm running snort 2.9.3.1 on CentOS 6.3 capturing traffic via Endace DAG
    card. I want to save to a file (pcap format) the traffic that it sees. I
    know in snort.conf there are some settings, but it does not appears to
    save the file. When ever I use the snort.conf, it is not saved.

    The settings are:
    config logdir: /data/snortlog

    # pcap
    output log_tcpdump: tcpdump.log

    The command I'm using to start snort:

    ./snort -d -b -i dag0:0 -c /etc/snort/snort.conf

    If I use this, I get a file that tcpdump can read, but no detail packet info.

    ./snort -d -b -i dag0:0 -l /data/snortlog -L tcpdump.log


    Attached is the snort.conf.

    Any suggestions? What am I doing wrong?

    Thanks,

    John Travlos



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

SNORT not saving pcap file jtravlos (Oct 25)
- Re: SNORT not saving pcap file Joel Esler (Oct 25)
- <Possible follow-ups>
- Re: SNORT not saving pcap file jtravlos (Oct 25)
  - Re: SNORT not saving pcap file waldo kitty (Oct 25)
    - Re: SNORT not saving pcap file John Travlos, Jr. (Oct 26)