Snort mailing list archives
Re: Can Snort work with erf file?
From: Marcos Rodriguez <marcos.e.rodriguez () gmail com>
Date: Fri, 7 Feb 2014 13:11:07 -0500
On Fri, Feb 7, 2014 at 11:28 AM, Joel Esler (jesler) <jesler () cisco com>wrote:
There is a daq what supports Endace Cards. But not the files themselves. http://www.snort.org/snort-downloads/external-daq/ -- *Joel Esler* Threat Intelligence Team Lead Open Source Manager Vulnerability Research Team On Jan 23, 2014, at 7:24 PM, Han Zhang <zhanghan0116 () gmail com> wrote: Hi all, Can Snort work with erf files? I tried snort -r test_erf and snort -r ref:test_erf, but neither worked. Any comment is appreciate. Thanks Han ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
It sounds like you have an Endace card, so you most likely have their toolchain. You can convert the ERF file to PCAP by using the "dagconvert" utility. If you don't have access to that tool, Wireshark can handle ERF captures and you can then save that as a tcpdump style pcap. Hope this helps.
------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Can Snort work with erf file? Han Zhang (Feb 07)
- Re: Can Snort work with erf file? Joel Esler (jesler) (Feb 07)
- Re: Can Snort work with erf file? Marcos Rodriguez (Feb 07)
- Re: Can Snort work with erf file? Joel Esler (jesler) (Feb 07)