[Snort-users] Generating alert when reading tcpdump file
xuntwang at ...125...
Thu Jul 4 06:31:08 EDT 2002
Thanks for your prompt response.
Actually I realized that I should specify the rules for snort to be able to
trigger alert. But when I tried the "-c /path/snort.conf", I won't get
anything except an empty alert file. When I removed this switch from my
command, at least I could get lots of directory named with source IP
addresses in the /var/log/snort directory.
I didn't specify to write the alert to syslog, but I check the syslog as
well and didn't find any alert.
What is your thought?
>From: "Andrew R. Baker" <andrewb at ...950...>
>To: tang xun <xun_tang at ...131...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Generating alert when reading tcpdump file
>Date: Wed, 03 Jul 2002 16:54:38 -0400
>tang xun wrote:
>> I got some tcpdump data from various network to
>>analyze. I am able to start snort to read those
>>tcpdump files with the following command and gererate
>>snort -A full -v -d -h home_net -l /var/log/snort -r
>You are missing a "-c snort.conf" in the above line. You need to use this
>if you want Snort to run with any rules enabled.
>> But the "-A full" didn't work. I only got an empty
>>alert file although I can see attacks in the tcpdump
>> The question is whether snort can generate alerts
>>when reading tcpdump files(in playback mode)?
>Yes, but you have to load some rules for it to use to detect the alerts.
>This sf.net email is sponsored by:ThinkGeek
>No, I will not fix your computer.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Join the worlds largest e-mail service with MSN Hotmail.
More information about the Snort-users