Snort mailing list archives
Re: snort using rpcap in windows
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 17 Feb 2015 12:17:52 +0000
Take a look at the README file included with the DAQ: PCAP Module =========== pcap is the default DAQ. If snort is run w/o any DAQ arguments, it will operate as it always did using this module. These are equivalent: ./snort -i <device> ./snort -r <file> ./snort --daq pcap --daq-mode passive -i <device> ./snort --daq pcap --daq-mode read-file -r <file> You need to use the “–daq-mode read-file” if you are going to use pcap mode with the daq. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Eugene Grama [mailto:eugene.grama () gmail com] Sent: Tuesday, February 17, 2015 4:28 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort using rpcap in windows I tried to search on google, but still with no luck, but I'm always bumping into this file http://snort.sourcearchive.com/documentation/2.8.5.2/remote-ext_8h-source.html http://snort.sourcearchive.com/documentation/2.8.5.2/group__remote__source__string.html I'm not sure what is this for, and i cannot even locate this remote-exe.h file in my machine (if this is a file) Thank you and best regards, eugene On Tue, Feb 17, 2015 at 5:19 PM, Eugene Grama <eugene.grama () gmail com<mailto:eugene.grama () gmail com>> wrote: Hello again, I had used this command and it is working and collecting packets dumpcap -i rpcap://[xx.xx.xx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} -w c:\dumpcap.log i need this traffic to pass through snort so that it will generate alert how can be this done? any advice? Thank you and best regards, eugene On Tue, Feb 17, 2015 at 2:24 PM, Eugene Grama <eugene.grama () gmail com<mailto:eugene.grama () gmail com>> wrote: Hello, Can snort run using rpcap? I'm trying this command, but not successful snort -c c:\Snort\etc\snort.conf -l c:\Snort\log --daq pcap --daq-mode inline -i rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx} I run on ERROR:pcap does not support inline run command snort --daq-list; the result is Available DAQ modules: pcap(v3): readback live multi unpriv Please help, how can i connect and collect data to my remote machine (Windows web server) -- Thank you and Best regards, Eugene -- Thank you and Best regards, Eugene -- Thank you and Best regards, Eugene
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: snort using rpcap in windows Eugene Grama (Feb 16)
- Re: snort using rpcap in windows Eugene Grama (Feb 17)
- Re: snort using rpcap in windows Eugene Grama (Feb 17)
- Re: snort using rpcap in windows Al Lewis (allewi) (Feb 17)
- Re: snort using rpcap in windows Eugene Grama (Feb 17)
- Re: snort using rpcap in windows Eugene Grama (Feb 17)