[Snort-users] Problem (I think) solved (or at least figured out)...

A.L.Lambert alambert at ...387...
Tue Nov 14 11:52:19 EST 2000


	Ok, I think I got it figured out, at least in so far as it relates
to the one file I couldn't read at all with snort.  Apparently it works
like this....

	tcpdump (stock redhat) compiled against that bastardized
libpcap-0.4 that RH ships with.  Apparently compiled -static, hence it
still works with libpcap upgraded to 0.5.  It is also apparently capable
of reading tcpdump files generated with snort compiled against libpcap
0.5.  But when it writes files, it writes them in libpcap 0.4 format,
which snort can't read.

	Now, I can't imagine why I ran into this problem now, and not much
much earlier than this, because I use tcpdump all the time to manipulate
the dump files snort generates.  But anyhoo, that's neither here nor
there.

	About 3 days ago, I had some stuff I wanted stripped out of a
logfile (that *ahem* embarrassing incident I mentioned in an earlier mail
to this list), and a quick run of tcpdump against the file with appropo
filter's in place did the trick.  It seems I promptly forgot about it, and
went on about my business, and didn't see anything wrong with that until
today, when I noticed my cronjob.debug file (output from my
harvesting/importing scripts) had errors in it.

	Anyhoo, I still have 2 other files that appear to have problems of
some form or another, and those did not get mucked with using the old
tcpdump (I have a fresh-from-source binary of tcpdump I just compiled that
seems to be fine re: snort<->tcpdump interoperation), but anyhoo...  
That's the scoop.  Apologies for the waste of bandwidth.

	--A.L.Lambert




More information about the Snort-users mailing list