[Snort-users] multiple files off of stdin?

Phil Wood cpw at ...440...
Sat Apr 19 09:42:03 EDT 2003


I cannot think of any reason to run snort just once.  Why not:

ls *.pcap | while read f; do
  snort -r $f ... other args
done

I've done this on many occasion (using mysql/acid) to populate an acid
web page.

On Sat, Apr 19, 2003 at 10:54:24AM -0400, Michael L. Artz wrote:
> Don't know if the last message got through, sorry if this is a dup ...
> 
> Anyway, is there a way to have snort process multiple files off of 
> stdin?  I.e.
> 
> cat file1.pcap file2.pcap | snort -r - <other args>
> 
> fails just before processing file2 with the error: "pcap_loop: 
> truncated dump file", which I assume has to do with the little header 
> that libpcap formatted files have at the beginning.  I can mergecap the 
> files and run them through fine, it is only when I try and run multiple 
> pcap files through, in a fashion such as:
> 
> (for i in *.cap.gz| do gzip -dc $i; done) | snort -r -  <args>
> 
> which I can't easily mergecap because of space issues.  Plus, I have the 
> files spread across multiple DVDs and would like to have a little script 
> that creates a snort pipe and then pumps pcap files to it, which could 
> be written so that snort (and all session and reassembly information) 
> survives a change of dvd.
> 
> Thanks
> -Mike
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list