|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] "Saving State" in Snort (Absent jusqu'au 29/07/2002)
From: Pascal Painparay (pascal.painparay
tdf.fr)
Date: Mon Apr 21 2003 - 10:22:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Je suis absent jusqu'au 21/04/03 inclus.
En cas d'urgence, Vous pouvez contacter :
Christophe Savin au 01 49 15 32 75.
Cdt
Pascal Painparay
>>> snort-users 04/21/03 17:04 >>>
"Michael L. Artz" <dragonoctober29.net> writes:
> Chris Green wrote:
>
>>Finally a use for reading in off stdin
>>
>>(for i in *.cap.gz| do gzip -dc $i; done) | snort -r - <args>
>>
>
> This seems to fail for me on the "breaks" between files with the error:
>
> pcap_loop: truncated dump file
>
> I assume that this has to do with the little header that tcpdump adds
> to the beginning of each file, i.e. I can mergecap them and run them
> through just fine. Is there something that I am missing beyond 'cat
> *.pcap | snort -r -'? Would a newer libpcap solve the problem?
Nah, I just saw a mailing list reply from Guy Harris over on the
tcpdump works mailing list that uses something more akin to
(COUNTER=0;
for i in *.cap.gz;
do
if [ COUNTER -eq 0 ];
gzip -dc $i
COUNTER=1;
else
gzip -dc $i | dd bs=24 count=0 skip=1
fi
done) | snort -r -
>
>
> Snort 1.9.1, fairly stock RH8.0.
>
> -Mike
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Chris Green <cmgsourcefire.com>
Laugh and the world laughs with you, snore and you sleep alone.
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]