[Snort-users] multiple files off of stdin?
cpw at ...440...
Sat Apr 19 09:42:03 EDT 2003
I cannot think of any reason to run snort just once. Why not:
ls *.pcap | while read f; do
snort -r $f ... other args
I've done this on many occasion (using mysql/acid) to populate an acid
On Sat, Apr 19, 2003 at 10:54:24AM -0400, Michael L. Artz wrote:
> Don't know if the last message got through, sorry if this is a dup ...
> Anyway, is there a way to have snort process multiple files off of
> stdin? I.e.
> cat file1.pcap file2.pcap | snort -r - <other args>
> fails just before processing file2 with the error: "pcap_loop:
> truncated dump file", which I assume has to do with the little header
> that libpcap formatted files have at the beginning. I can mergecap the
> files and run them through fine, it is only when I try and run multiple
> pcap files through, in a fashion such as:
> (for i in *.cap.gz| do gzip -dc $i; done) | snort -r - <args>
> which I can't easily mergecap because of space issues. Plus, I have the
> files spread across multiple DVDs and would like to have a little script
> that creates a snort pipe and then pumps pcap files to it, which could
> be written so that snort (and all session and reassembly information)
> survives a change of dvd.
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users