[Snort-users] Snort dont understand pf (openbsd) format
mkettler at ...4108...
Mon Nov 29 15:30:00 EST 2004
At 06:09 PM 11/29/2004, Breno Leitão wrote:
>leitao at ...12726...:~/snort/snort-2.3.0RC1/src$ ./snort -c snort.conf -l /tmp -r
> What is wrong with that? Does snort understand the pf log format?
No, snort doesn't understand any textual log formats at all, including pf.
The manpage is pretty clear about what kind of format -r expects. It
expects a tcpdump format file.
It also doesn't expect a copy of tcpdump's text-mode output, it expects a
tcpdump capture file generated with tcpdump -w. Such files are binary
files, not text. They are more-or-less a capture of the packets in their
raw format, just dumped to disk instead of in memory, so it's pretty easy
for snort to parse.
Reconstructing a packet from an ascii mode logfile is a considerable feat,
if it's even possible (not all log formats dump the entire packet contents,
From the snort manpage:
Read the tcpdump-formatted file tcpdump-file. This
will cause Snort to read and process the file fed
to it. This is useful if, for instance, you've got
a bunch of SHADOW files that you want to process
for content, or even if you've got a bunch of
reassembled packet fragments which have been writ-
ten into a tcpdump formatted file.
More information about the Snort-users