Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort using rpcap in windows

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 17 Feb 2015 12:17:52 +0000
Take a look at the README file included with the DAQ:

PCAP Module
===========

pcap is the default DAQ.  If snort is run w/o any DAQ arguments, it will
operate as it always did using this module.  These are equivalent:

    ./snort -i <device>
    ./snort -r <file>

    ./snort --daq pcap --daq-mode passive -i <device>
    ./snort --daq pcap --daq-mode read-file -r <file>



You need to use the “–daq-mode read-file” if you are going to use pcap mode with the daq.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Eugene Grama [mailto:eugene.grama () gmail com]
Sent: Tuesday, February 17, 2015 4:28 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort using rpcap in windows

I tried to search on google, but still with no luck, but I'm always bumping into this file

http://snort.sourcearchive.com/documentation/2.8.5.2/remote-ext_8h-source.html

http://snort.sourcearchive.com/documentation/2.8.5.2/group__remote__source__string.html
I'm not sure what is this for, and i cannot even locate this remote-exe.h file in my machine (if this is a file)
Thank you and best regards,
eugene

On Tue, Feb 17, 2015 at 5:19 PM, Eugene Grama <eugene.grama () gmail com<mailto:eugene.grama () gmail com>> wrote:
Hello again,
I had used this command and it is working and collecting packets

dumpcap -i rpcap://[xx.xx.xx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} -w c:\dumpcap.log
i need this traffic to pass through snort so that it will generate alert
how can be this done? any advice?


Thank you and best regards,
eugene

On Tue, Feb 17, 2015 at 2:24 PM, Eugene Grama <eugene.grama () gmail com<mailto:eugene.grama () gmail com>> wrote:

Hello,

Can snort run using rpcap? I'm trying this command, but not successful

snort -c c:\Snort\etc\snort.conf -l c:\Snort\log --daq pcap --daq-mode inline -i 
rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}

I run on ERROR:pcap does not support inline

run command snort --daq-list; the result is Available DAQ modules: pcap(v3): readback live multi unpriv

Please help, how can i connect and collect data to my remote machine (Windows web server)
--
Thank you and Best regards,

Eugene




--
Thank you and Best regards,

Eugene



--
Thank you and Best regards,

Eugene

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: