[Snort-devel] snort-1.9.0b6 and barnyard discrepancies

Steve Halligan giermo at ...269...
Fri Aug 23 06:48:09 EDT 2002


Dragos released a tool that converts a unified log/alert file directly into
a tcpdump/pcap capture.
Try running it on the unified file and see if it is the culprit, or if
Barnyard is somehow mangling it.

http://dragos.com/logtopcap.c

-steve

>Em Thu, Aug 22, 2002 at 06:02:59PM -0300, Andreas Hasenack escreveu:
>> Actually, I just tried barnyard's ascii output and it's also 
>different
>> from the tcpdump one, so it's not specific to sql output. 
>Probably the
>> unified file was generated with it.
>
>Ok, here is what I have:
>tcpdump file
>unified file
>
>Both files representing the same capture.
>
>Reading the tcpdump file with tcpdump itself doesn't show any 
>anomalies.
>
>Processing the unified file with barnyard gives different results:
>- using output log_dump: ascii-barnyard-output.txt I get the 
>txt file with
>  the anomalies
>- using output log_pcap: tcpdump-barnyard-output.pcap 
>generates a clean file,
>  with no anomalies
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list