[Snort-devel] Problem Snort Reading STDIN

Todd Wease twease at ...402...
Mon Oct 27 11:12:39 EDT 2008


Hey John,

Thanks for notifying us about this.  This seems to have happened a few
releases ago when we implemented code to read multiple pcaps from the
command line.  The fix should be in our next release.

Thanks,
Todd


John Gerber wrote:
> Just recently upgraded to 2.8.3.1 (Build 17).  It appears that Snort
> can no longer read from STDIN.  Wanted to confirm this was the case. 
> We keep some large pcap files around in compressed format.  If we want
> to run it through Snort, we use to be able to do a command like:
>
>  gunzip -c  test.pcap.gz |   /software/snort/bin/snort -c
> /software/snort/etc/snort.conf -l /logs/snort/logs -r -
>
> Now, I get:
>
> # gunzip -c  test.pcap.gz |   /software/snort/bin/snort -c
> /software/snort/etc/snort.conf -l /logs/snort/logs -r -
> Error getting stat on pcap file: -: No such file or directory
> ERROR: Error getting pcaps
> Fatal Error, Quitting..
>
> This can be tested by simply doing:
>
> # /usr/sbin/tcpdump  -c 50  -w test.pcap
> # gzip test.pcap
> # gunzip -c  test.pcap.gz |   /software/snort/bin/snort -c
> /software/snort/etc/snort.conf -l /logs/snort/logs -r -
>
> I can pipe to STDIN to tcpdump with the command:
>
> # gunzip -c  test.pcap.gz |  /usr/sbin/tcpdump -X -r -
>
> Snort will run if I do:
>
> # /software/snort/bin/snort -c /software/snort/etc/snort.conf -l
> /logs/snort/logs -r test.pcap
>
> Operating system:
>
> # uname -a
> Linux compuername 2.6.18-92.1.13.el5PAE #1 SMP Thu Sep 4 04:05:54 EDT
> 2008 i686 i686 i386 GNU/Linux
>
> The previous version of Snort I had was 2.7.0.1, so this problem may
> not be new.  Just curious if there is a way around this without
> uncompressing the files.
>
> Thanks,
> John
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>   





More information about the Snort-devel mailing list