[Snort-users] snort -r $LOG -N -q -c /d2/portwatch/scripts/$PW_PROC.rules -A none

root root at ...480...
Wed Sep 20 16:30:57 EDT 2000


Folks,

I was trying to read the tcpdump which another instance of snort is writing
packets to.  As luck would have it, nothing had transpired on the net which
would cause the LOG disk blocks to get updated.  So, the magic header had
not been flushed to disk.  This will cause snort to complain:

ERROR => unable to open file LOG for readback: fread: No such file or directory

This is not quite a true diagnostic.  I modified libpcap to fflush the file
after it fwrite's the first few bytes of the file (24 bytes in my case).

Now, snort proceeds normally, although there is nothing to report.  %^)

Phil



More information about the Snort-users mailing list