[Snort-users] Re-read snort trace with Snort ?

Martin Roesch roesch at ...421...
Thu Nov 30 01:23:47 EST 2000


Nope, but if you were feel particularly motivated you could probably write a
perl script that could put the packets back into binary pcap mode from the
dumps and then re-read those through Snort.

Don't laugh, I did something similar over a year ago for a job, it was pretty
entertaining... :)

     -Marty


Wayne Veilleux et Lucienne Bolduc wrote:
> 
> Hi:
> 
> Is it possible to read a file as input with Snort when
> the file was made by a regular snort-1.6.3 output like
> this (I know there is a -r option for raw tcpdump file):
> 
> 09/08-00:26:50.214297 64.229.196.119:3612 -> 131.195.217.142:2047
> TCP TTL:116 TOS:0x0 ID:25989  DF
> 21SFRP** Seq: 0xA9FC05   Ack: 0x1A80080   Win: 0x5010
> E2 41                                            .A
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 09/08-01:16:35.034978 131.195.217.218:1095 -> 207.172.3.46:119
> TCP TTL:126 TOS:0x0 ID:34870  DF
> 21SFRPAU Seq: 0x33D6C   Ack: 0x960219C9   Win: 0x5010
> 04 47 00 77 00 03 3D 6C 96 02 19 C9 00 FF 50 10  .G.w..=l......P.
> 22 38 6C 99 20 20 20 20 20 00                    "8l.     .
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 09/08-01:20:07.832604 131.195.217.218:1095 -> 207.172.3.46:119
> TCP TTL:126 TOS:0x0 ID:13173  DF
> 21SFRPAU Seq: 0x340CC   Ack: 0x197FE   Win: 0x5010
> 22 38 3D 07 20 20 20 20 20 00                    "8=.     .
> 
> 
> Thanks
> 
> Wayne
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list