[Snort-users] I need some serious help

Don Don at ...5881...
Tue Jun 11 11:32:09 EDT 2002


thats the problem, snort is setup for tcpdump, i cannot replay the dump
files, it gives an error, reading the files in an editor reveals there are a
number of codered scans, and apparently something in the code prevents the
playback, using the command line
snort -dr snort.log -c c:\extract\snort.conf -l c:\extract\log
snort is restarted daily, creating 0606 at ...6048... 0607 at ...6048..., and
so on, i copy the logs to/from a remote system and play them back to get the
alerts and log structure for parsing and investigation, these particular
files from just this system, when i go to rename them to snort.log for the
extraction process, it says in use, cannot be renamed, and the file then
self-deletes. weird i say.

Don


-----Original Message-----
From: Erek Adams [mailto:erek at ...577...]
Sent: Tuesday, June 11, 2002 11:23 AM
To: Don
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] I need some serious help


On Tue, 11 Jun 2002, Don wrote:

> I have some snort traffic that causes real problems with snort, and
reading
> the logfile, it doesnt look good, it turns out that i cannot generate
alert
> files from the tcpdump file, could someone with help me out directly here.

>From the mind of Douglas Adams:  "Don't Panic" and "Always know where your
towel is."  :)

You need to turn on binary logging.  You can do that in two ways:

  1)  Adding "-b" to the command line
  2)  Adding "output log_tcpdump: snort.log" into your snort.conf file.

Now you've got the packets, what do you want to do with them?  Read/replay
them at your leisure?

	snort -vader <logfile>

Will dump them out to your screen.  Pipe to pager program of your choice and
read from there.

Hope that helps!

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-users mailing list