[Snort-users] Generating alert when reading tcpdump file

xun wang xuntwang at ...125...
Thu Jul 4 06:31:08 EDT 2002

Thanks for your prompt response.
Actually I realized that I should specify the rules for snort to be able to 
trigger alert. But when I tried the "-c /path/snort.conf", I won't get 
anything except an empty alert file. When I removed this switch from my 
command, at least I could get lots of directory named with source IP 
addresses in the /var/log/snort directory.

I didn't specify to write the alert to syslog, but I check the syslog as 
well and didn't find any alert.

What is your thought?

>From: "Andrew R. Baker" <andrewb at ...950...>
>To: tang xun <xun_tang at ...131...>
>CC: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] Generating alert when reading tcpdump file
>Date: Wed, 03 Jul 2002 16:54:38 -0400
>tang xun wrote:
>>Hi All,
>>      I got some tcpdump data from various network to
>>analyze. I am able to start snort to read those
>>tcpdump files with the following command and gererate
>>snort -A full -v -d -h home_net -l /var/log/snort -r
>You are missing a "-c snort.conf" in the above line.  You need to use this 
>if you want Snort to run with any rules enabled.
>>     But the "-A full" didn't work. I only got an empty
>>alert file although I can see attacks in the tcpdump
>>     The question is whether snort can generate alerts
>>when reading tcpdump files(in playback mode)?
>Yes, but you have to load some rules for it to use to detect the alerts.
>This sf.net email is sponsored by:ThinkGeek
>No, I will not fix your computer.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Join the world’s largest e-mail service with MSN Hotmail. 

More information about the Snort-users mailing list