Snort mailing list archives

Re: Snort read a incremental file

From: Felix Erlacher <felix.erlacher () uibk ac at>
Date: Mon, 30 Jan 2017 16:54:37 +0100

Hi Paul,

I would naively assume that Snort reads them one after another in the
same order it would read normal files.

greets

felix

On 30/01/17 16:42, Paul Li wrote:

Thanks Felix. That works well for my issue. Much appreciated.

A follow up question: if I have a multiple pipes like this one, would
there be any order how snort reads them?

Thanks,
Paul

On Saturday, January 28, 2017, Felix Erlacher <felix.erlacher () uibk ac at
<mailto:felix.erlacher () uibk ac at>> wrote:

    Hi Paul,

    On a decent OS you can write pcap data to a named pipe and make snort
    read form that named pipe. That might be a solution in your case.

    Example on Debian:
    #mkfifo mypipe
    than make your program write data to that file, and with snort simply
    #snort -c snort.conf -r ./mypipe

    greets

    felix

    On 28/01/17 14:52, Paul Li wrote:
    > I've got a pcap file that keep adding new network data. I know
    Snort can
    > read a file, but is there a way Snort can read the continuously added
    > data to the file?
    >
    > Thanks,
    > Paul
    >
    >
    >
    ------------------------------------------------------------------------------
    > Check out the vibrant tech community on one of the world's most
    > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
    >
    >
    >
    > _______________________________________________
    > Snort-users mailing list
    > Snort-users () lists sourceforge net <javascript:;>
    > Go to this URL to change user options or unsubscribe:
    > https://lists.sourceforge.net/lists/listinfo/snort-users
    <https://lists.sourceforge.net/lists/listinfo/snort-users>
    > Snort-users list archive:
    >
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
    <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
    >
    > Please visit http://blog.snort.org to stay current on all the
    latest Snort news!
    >

    --
    Felix Erlacher
    ccs-labs.org/~erlacher <http://ccs-labs.org/~erlacher>

    Key-ID:4EAC0959


-- 
Felix Erlacher
ccs-labs.org/~erlacher

Key-ID:4EAC0959

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort read a incremental file Paul Li (Jan 28)
- <Possible follow-ups>
- Fwd: Re: Snort read a incremental file Felix Erlacher (Jan 28)
  - Re: Snort read a incremental file Paul Li (Jan 30)
    - Re: Snort read a incremental file Joel Esler (jesler) (Jan 30)
    - Re: Snort read a incremental file Paul Li (Jan 30)
    - Re: Snort read a incremental file Alberto Colosi (Jan 30)
    - Re: Snort read a incremental file Felix Erlacher (Jan 30)