Snort mailing list archives
Re: Snort read a incremental file
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 30 Jan 2017 15:46:49 +0000
Is there a particular reason that you are doing it this way, or can you just read directly from the network interface? -- Joel Esler | Talos: Manager | jesler () cisco com <mailto:jesler () cisco com>
On Jan 30, 2017, at 10:42 AM, Paul Li <paul () scybersecurity com> wrote: Thanks Felix. That works well for my issue. Much appreciated. A follow up question: if I have a multiple pipes like this one, would there be any order how snort reads them? Thanks, Paul On Saturday, January 28, 2017, Felix Erlacher <felix.erlacher () uibk ac at <mailto:felix.erlacher () uibk ac at>> wrote: Hi Paul, On a decent OS you can write pcap data to a named pipe and make snort read form that named pipe. That might be a solution in your case. Example on Debian: #mkfifo mypipe than make your program write data to that file, and with snort simply #snort -c snort.conf -r ./mypipe greets felix On 28/01/17 14:52, Paul Li wrote:I've got a pcap file that keep adding new network data. I know Snort can read a file, but is there a way Snort can read the continuously added data to the file? Thanks, Paul ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot <http://sdm.link/slashdot> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <javascript:;> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!-- Felix Erlacher ccs-labs.org/~erlacher <http://ccs-labs.org/~erlacher> Key-ID:4EAC0959 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
signature.asc
Description: Message signed with OpenPGP
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort read a incremental file Paul Li (Jan 28)
- <Possible follow-ups>
- Fwd: Re: Snort read a incremental file Felix Erlacher (Jan 28)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Joel Esler (jesler) (Jan 30)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Alberto Colosi (Jan 30)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Felix Erlacher (Jan 30)