[Snort-users] help improving time it takes to read compressed tcpdumps

Crow, Owen Owen_Crow at ...2639...
Wed Nov 7 10:31:05 EST 2001

It looks like snort does accept input from STDIN if you use the "-" 
special file:

gzip -dc dumpfile.log.gz | snort -devr -

This is not mentioned in the man page for 1.7 or 1.8.2 and should
probably be added.  But it's old school Unix anyway.

At the very least, I would recommend than when you decompress to read 
into snort, you leave the original compressed file in place to avoid
the re-compress step:

gzip -dc dumpfile.log.gz > dumpfile.log && \
	snort -devr dumpfile.log && \
	rm dumpfile.log

The zlip added to snort would be nice, too, like Ethereal does.

Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

-----Original Message-----
From: Erik Melander [mailto:Emelander at ...3910...]
Sent: Wednesday, November 07, 2001 11:41 AM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] help improving time it takes to read compressed

As I understand it, Snort does not accept tcpdump data from stdin, but
requires the use of the "-r" flag to read tcpdumps.  Currently, I pull
compressed tcpdumps from my sensors, aggregate them on the analyzing
machine, uncompress them, read them into Snort, and recompress them for
archival purposes.  I would like to use the Compress:Zlib perl module to
uncompress and compress on the fly while dumping the data into stdin (much
like the fetchem.pl script does on Shadow).  This should significantly
reduce the time it takes to read compressed tcpdumps into Snort.  Even
better would be the ability to compile zlib into snort so it can natively
read compressed tcpdumps.  If this is not possible, if anyone has any
suggestions for improving the time it takes for this process, I would love
to hear it.  Thanks!

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list