[Snort-users] "Saving State" in Snort

Phil Wood cpw at ...441...
Tue Apr 1 07:19:09 EST 2003


On Tue, Apr 01, 2003 at 09:05:38AM -0500, Chris Green wrote:
> "Michael L. Artz" <dragon at ...8731...> writes:
> 
> > I am fairly new to Snort, so feel free to abuse away ...
> >
> [ snip ]
> 
> > Is there an intelligent way to do this?  I think that having Snort
> > (optionally) dump its current state and then be able to read it in and
> > start where it left off would be pretty cool, and solve my situation
> > nicely.
> >
> > Any help would be appreciated.
> >
> > Thanks
> > -Mike
> >
> 
> Finally a use for reading in off stdin
> 
> (for i in *.cap.gz| do gzip -dc $i; done) | snort -r -  <args>

Been doing it for years.  Now, when are you going to convert* all those crufty
stdout debug, info, and error messages to stderr, so we can:

  cat pcapfile.gz | snort -r - ... -b -L - > snort.cap.gz

? Never mind.

* convert script (unless your virus checker considers it harmful).

> 
> -- 
> Chris Green <cmg at ...1935...>
> Warning: time of day goes back, taking countermeasures.
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...

-------------- next part --------------
cd snort
find . -name "*.c" -print | while read c; do
  if [ ! -f $c.orig ]; then
    if grep "[	]printf[	]*(" $c 2> /dev/null >/dev/null; then
      cp $c $c.orig
      sed -e 's/[	]printf[	]*(/	LogMessage(/' < $c.orig > $c
    elif grep "[ ]printf[ ]*(" $c 2> /dev/null >/dev/null; then
      cp $c $c.orig
      sed -e 's/[ ]printf[ ]*(/ LogMessage(/' < $c.orig > $c
    elif grep "[)]printf[ ]*(" $c 2> /dev/null >/dev/null; then
      cp $c $c.orig
      sed -e 's/[)]printf[ ]*(/)LogMessage(/' < $c.orig > $c
    else
      :
    fi
  fi
done


More information about the Snort-users mailing list