NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2003-04

Re: [Snort-users] "Saving State" in Snort

From: Phil Wood (cpwcynosure.lanl.gov)
Date: Tue Apr 01 2003 - 09:18:26 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 01, 2003 at 09:05:38AM -0500, Chris Green wrote:
> "Michael L. Artz" <dragonoctober29.net> writes:
>
> > I am fairly new to Snort, so feel free to abuse away ...
> >
> [ snip ]
>
> > Is there an intelligent way to do this? I think that having Snort
> > (optionally) dump its current state and then be able to read it in and
> > start where it left off would be pretty cool, and solve my situation
> > nicely.
> >
> > Any help would be appreciated.
> >
> > Thanks
> > -Mike
> >
>
> Finally a use for reading in off stdin
>
> (for i in *.cap.gz| do gzip -dc $i; done) | snort -r - <args>

Been doing it for years. Now, when are you going to convert* all those crufty
stdout debug, info, and error messages to stderr, so we can:

cat pcapfile.gz | snort -r - ... -b -L - > snort.cap.gz

? Never mind.

* convert script (unless your virus checker considers it harmful).

>
> --
> Chris Green <cmgsourcefire.com>
> Warning: time of day goes back, taking countermeasures.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb:
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Phil Wood, cpwlanl.gov

-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

text/plain attachment: printf-to-LogMessage

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]