John Gerber johngerber at ...398...
Sun Oct 26 19:17:10 EDT 2008

Just recently upgraded to (Build 17).  It appears that Snort can no longer read from STDIN.  Wanted to confirm this was the case.  We keep some large pcap files around in compressed format.  If we want to run it through Snort, we use to be able to do a command like:

 gunzip -c  test.pcap.gz |   /software/snort/bin/snort -c /software/snort/etc/snort.conf -l /logs/snort/logs -r -

Now, I get:

# gunzip -c  test.pcap.gz |   /software/snort/bin/snort -c /software/snort/etc/snort.conf -l /logs/snort/logs -r -
Error getting stat on pcap file: -: No such file or directory
ERROR: Error getting pcaps
Fatal Error, Quitting..

This can be tested by simply doing:

# /usr/sbin/tcpdump  -c 50  -w test.pcap
# gzip test.pcap
# gunzip -c  test.pcap.gz |   /software/snort/bin/snort -c /software/snort/etc/snort.conf -l /logs/snort/logs -r -

I can pipe to STDIN to tcpdump with the command:

# gunzip -c  test.pcap.gz |  /usr/sbin/tcpdump -X -r -

Snort will run if I do:

# /software/snort/bin/snort -c /software/snort/etc/snort.conf -l /logs/snort/logs -r test.pcap

Operating system:

# uname -a
Linux compuername 2.6.18-92.1.13.el5PAE #1 SMP Thu Sep 4 04:05:54 EDT 2008 i686 i686 i386 GNU/Linux

The previous version of Snort I had was, so this problem may not be new.  Just curious if there is a way around this without uncompressing the files. 

