[Snort-users] Generating alert when reading tcpdump file

Andrew R. Baker andrewb at ...950...
Wed Jul 3 13:55:07 EDT 2002


tang xun wrote:
> Hi All,
>      I got some tcpdump data from various network to
> analyze. I am able to start snort to read those
> tcpdump files with the following command and gererate
> logs.
> 
> snort -A full -v -d -h home_net -l /var/log/snort -r
> tcpdump_file.


You are missing a "-c snort.conf" in the above line.  You need to use 
this if you want Snort to run with any rules enabled.

>     But the "-A full" didn't work. I only got an empty
> alert file although I can see attacks in the tcpdump
> file.
> 
>     The question is whether snort can generate alerts
> when reading tcpdump files(in playback mode)?

Yes, but you have to load some rules for it to use to detect the alerts.

-A









More information about the Snort-users mailing list