[Snort-users] I need some serious help
erek at ...577...
Tue Jun 11 11:43:02 EDT 2002
On Tue, 11 Jun 2002, Don wrote:
> thats the problem, snort is setup for tcpdump, i cannot replay the dump
> files, it gives an error, reading the files in an editor reveals there are a
> number of codered scans, and apparently something in the code prevents the
> playback, using the command line
> snort -dr snort.log -c c:\extract\snort.conf -l c:\extract\log
> snort is restarted daily, creating 0606 at ...6048... 0607 at ...6048..., and
> so on, i copy the logs to/from a remote system and play them back to get the
> alerts and log structure for parsing and investigation, these particular
> files from just this system, when i go to rename them to snort.log for the
> extraction process, it says in use, cannot be renamed, and the file then
> self-deletes. weird i say.
Well... From reading between the lines and guessing:
You're on a Win32 system--I'm sorry.
If you're snorting on a *NIX box and bringing the capture files over,
be sure you use the right transfer mode.
Other things that aren't even guessable:
What error? You say you have an error, but _what_ is it?
File in use? Did you _stop_ snort from running? If not, it's still
got the file descriptor open, and you can't really do too much with that on a
How are you running snort?
What version of Snort? 1.8.6 is latest release, 1.8.7beta6 is the
What's in your snort.conf?
Have you tried just running it as 'snort -vader <filename>' just to
make sure the data is valid? If that works, then your problem is in your
More information about the Snort-users