[Snort-users] logtopcap: a snort unified log to pcap file tool.
dr at ...50...
Sun Aug 18 05:46:01 EDT 2002
Someone asked me for a tool to convert snort
unified log files to pcap files. I needed some output
file diagnostic tools myself. So I built a small utility
This may be of interest to others too... so you are reading this. :-)
The program below converts snort unified log files into pcap files
suitable for reading with tcpdump, snort, and ethereal. Barnyard
also can be used for this function but but this utility is a little
faster and doesn't have to be configured, it will automagically
determine input format and process accordingly. The diagnostic
dumps also give complete unabridged human readable packets
and file contents without skipping any fields (b.y. may do this
too in some mode but I haven't played with it).
cc -o logtopcap logtopcap.c
logtopcap <snort.log.filename> <pcap.filename>
It will also produce diagnostic human readable text dumps
of all the input file formats if you give it a third dumpfile argument.
logtopcap <snort.log.filename> <pcap.filename> [dumpfile]
Logtopcap will process the following input formats:
Snort 1.x Unified Log Files
Snort 1.x Unified Alert Files (*)
Snort 2.x Unified Log/Alert Files
Pcap Files (not funny redhat ones yet tho :) (**)
(*)(Note 1: Snort 1.x Alert files contain no packets so no pcap data
willl be output but the data will be dumped into human readable
form in the dumpfile if a third argument is used.)
(**)(Note 2: In this mode the file conversion is a no-op as
input files = output, but I've needed a raw pcap dumper
for some time... :-)
It only produces one binary output format: ordinary pcap files.
(and the text human redable dumps)
dr at ...50... pgp: http://dragos.com/dr-dursec.asc
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 18275 bytes
Desc: not available
More information about the Snort-users