[Snort-users] I need some serious help
Don at ...5881...
Tue Jun 11 11:32:09 EDT 2002
thats the problem, snort is setup for tcpdump, i cannot replay the dump
files, it gives an error, reading the files in an editor reveals there are a
number of codered scans, and apparently something in the code prevents the
playback, using the command line
snort -dr snort.log -c c:\extract\snort.conf -l c:\extract\log
snort is restarted daily, creating 0606 at ...6048... 0607 at ...6048..., and
so on, i copy the logs to/from a remote system and play them back to get the
alerts and log structure for parsing and investigation, these particular
files from just this system, when i go to rename them to snort.log for the
extraction process, it says in use, cannot be renamed, and the file then
self-deletes. weird i say.
From: Erek Adams [mailto:erek at ...577...]
Sent: Tuesday, June 11, 2002 11:23 AM
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] I need some serious help
On Tue, 11 Jun 2002, Don wrote:
> I have some snort traffic that causes real problems with snort, and
> the logfile, it doesnt look good, it turns out that i cannot generate
> files from the tcpdump file, could someone with help me out directly here.
>From the mind of Douglas Adams: "Don't Panic" and "Always know where your
towel is." :)
You need to turn on binary logging. You can do that in two ways:
1) Adding "-b" to the command line
2) Adding "output log_tcpdump: snort.log" into your snort.conf file.
Now you've got the packets, what do you want to do with them? Read/replay
them at your leisure?
snort -vader <logfile>
Will dump them out to your screen. Pipe to pager program of your choice and
read from there.
Hope that helps!
More information about the Snort-users