[Snort-users] "Saving State" in Snort

Chris Green cmg at ...1935...
Tue Apr 1 06:06:26 EST 2003


"Michael L. Artz" <dragon at ...8731...> writes:

> I am fairly new to Snort, so feel free to abuse away ...
>
[ snip ]

> Is there an intelligent way to do this?  I think that having Snort
> (optionally) dump its current state and then be able to read it in and
> start where it left off would be pretty cool, and solve my situation
> nicely.
>
> Any help would be appreciated.
>
> Thanks
> -Mike
>

Finally a use for reading in off stdin

(for i in *.cap.gz| do gzip -dc $i; done) | snort -r -  <args>

-- 
Chris Green <cmg at ...1935...>
Warning: time of day goes back, taking countermeasures.





More information about the Snort-users mailing list