[Snort-users] multiple files off of stdin?

Michael L. Artz dragon at ...8731...
Sat Apr 19 08:07:04 EDT 2003


Don't know if the last message got through, sorry if this is a dup ...

Anyway, is there a way to have snort process multiple files off of 
stdin?  I.e.

cat file1.pcap file2.pcap | snort -r - <other args>

fails just before processing file2 with the error: "pcap_loop: 
 truncated dump file", which I assume has to do with the little header 
that libpcap formatted files have at the beginning.  I can mergecap the 
files and run them through fine, it is only when I try and run multiple 
pcap files through, in a fashion such as:

(for i in *.cap.gz| do gzip -dc $i; done) | snort -r -  <args>

which I can't easily mergecap because of space issues.  Plus, I have the 
files spread across multiple DVDs and would like to have a little script 
that creates a snort pipe and then pumps pcap files to it, which could 
be written so that snort (and all session and reassembly information) 
survives a change of dvd.

Thanks
-Mike





More information about the Snort-users mailing list