[Snort-users] multiple files off of stdin?

Michael L. Artz dragon at ...8731...
Sat Apr 19 14:14:47 EDT 2003


Phil Wood wrote:

>I cannot think of any reason to run snort just once.  Why not:
>
>ls *.pcap | while read f; do
>  snort -r $f ... other args
>done
>  
>
Becuase I want to try and examine *everything*, and all of the snort 
preprocessors (like the fragmentation and session reassembly, and any 
others that I might write) will lose their state every time snort is 
restarted.  So if an attack happened over the boundary of one of my 
files, snort won't pick it up.

I am contemplating just writing a little script to strip off the libpcap 
header on all files except the first one, if that is the problem.

-Mike






More information about the Snort-users mailing list