This is Interesting: Free IT Magazines  
Home > Archive > Snort > September 2004 > [Snort-users] reading packet capture file





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author [Snort-users] reading packet capture file
John Fiore

2004-09-22, 10:25 pm

I have a large packet capture file which contains a
record of malicious activity. Is it possible to read
it into snort offline? Thanks in advance.

John



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
Scott Zawalski

2004-09-22, 10:25 pm

Yes this is possible. Just like tcpdump you can supply the -r filename
option.

snort --help provides a lot of quick information including the above.


Scott


John Fiore wrote:

>I have a large packet capture file which contains a
>record of malicious activity. Is it possible to read
>it into snort offline? Thanks in advance.
>
>John
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
>Project Admins to receive an Apple iPod Mini FREE for your judgement on
>who ports your project to Linux PPC the best. Sponsored by IBM.
>Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> ________________________________________
_______
>Snort-users mailing list
>Snort-users@lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists...nfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf....ist=snort-users
>
>
>



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
Matt Kettler

2004-09-22, 10:25 pm

At 11:59 AM 9/20/2004, John Fiore wrote:
>I have a large packet capture file which contains a
>record of malicious activity. Is it possible to read
>it into snort offline? Thanks in advance

If it's a tcpdump binary capture file, certainly.. use snort's -r parameter
(see man snort for more detail).



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2010 webservertalk.com