[Snort-users] bad dump file format... huh?
alambert at ...387...
Tue Nov 14 11:15:46 EST 2000
Hrmm... I've got one file for sure (and 2 more that I still have
to verify) that were created by snort (1.6.3_patch1) in tcpdump binary
logging mode (snort -b), which as far as tcpdump is concerned, are
perfectly fine (tcpdump -n -r dumpfile reads them just fine anyway), but I
cannot read these files with snort itself; neither the snort binary that
created the dumpfile, nor the CVS derived snort binary I use to import the
dump files into my MySQL database.
Also worthy of note; is that I have a significant number of other
snort boxes which other than the rulesets, are 100% identical to the box
that generated these (apparently) bad tcpdump files, as well as other
tcpdump binary files from the same timeframe from the same box that are
not bad (as far as I can tell anyway).
So, to summarize my yammering above:
snort -b -s -d -D -i eth0 -l /my/logfile/path -c /my/conf/path/rules.base
# (generated tcpdump binary file snort-xxxx at ...792... in /my/logfile/path
# as expected)
tcpdump -n -r snort-xxxx at ...792... # works fine (-n is just to avoid
# waiting on DNS lookups)
snort -vedC -r snort-xxxx at ...792... # reports "bad dump file format"
# Hrmmm.... let's try this...
tcpdump -n -r snort-xxxx at ...792... -w test.log # works fine
snort -vedC -r test.log # reports "bad dump file format"
I have no clue... I'll post more later if/when I figure this out,
or have new clues. Anyone with any thoughts on this, I'm all ears.
Thanks in advance.
More information about the Snort-users