[Snort-users] multiple files off of stdin?
Michael L. Artz
dragon at ...8731...
Sat Apr 19 14:14:47 EDT 2003
Phil Wood wrote:
>I cannot think of any reason to run snort just once. Why not:
>ls *.pcap | while read f; do
> snort -r $f ... other args
Becuase I want to try and examine *everything*, and all of the snort
preprocessors (like the fragmentation and session reassembly, and any
others that I might write) will lose their state every time snort is
restarted. So if an attack happened over the boundary of one of my
files, snort won't pick it up.
I am contemplating just writing a little script to strip off the libpcap
header on all files except the first one, if that is the problem.
More information about the Snort-users