[Snort-users] Reading a TCPdump file

Jeff Dell jdell at ...1095...
Fri Oct 22 08:08:27 EDT 2004


You might want to also try to add "-k none" to the command line. I would bet
the checksums are bad.
 
Jeff


  _____  

From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Mark Johnston
Sent: Thursday, October 21, 2004 10:16 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Reading a TCPdump file



Hi all, 

Wondering if you can help with this matter that I am having in reading a
TCPdump format file. 

I'm looking at one of the honeynet scan of the month projects (#27). And
what I'm trying to do is get snort to read the TCPdump capture file and view
the alerts. Thus far I have configured the conf file to have the appropriate
values and run snort against the file, however I'm not getting any generated
alerts. I know that I should be getting some though. I also have the latest
version of the rules and am running snort 2.2 for Fedora Core 2. The command
that I am using is "snort -A full -c /etc/snort/snort.conf -r sotm27"

Just to see if snort is working properly I created a "any any" rule and put
it into NIDS mode. Alerts were generated then by the dozens.

Any ideas ? 

Thanks 
Mark 



**********************************************************************
This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they 
are addressed. It may not be used or disclosed except for the 
purpose for which it has been sent. If you have received this 
e-mail in error please notify the system administrator 
postmaster at ...12582... quoting the senders address. If you are not the 
intended recipient you must not use, disclose, distribute, copy, 
print or rely on this e-mail and must delete the message and any 
documents. Please advise immediately if you or your employer 
do not consent to Internet e-mail for messages of this kind. 
Unless expressly stated, opinions in this message are those of 
the individual sender and not of Blue Square. Blue Square 
accepts no liability or responsibility for any onward transmission 
or use of e-mails and attachment having left the Blue Square domain.



This footnote also confirms that this e-mail message has been swept
by MIMEsweeper for the presence of computer viruses. Whilst we 
have taken reasonable precautions to ensure that this e-mail and 
any attachments have been swept for viruses, we cannot accept 
liability for any damage sustained as a result of software viruses and 
would advise that you carry out your own virus checks before 
opening any attachment.



www.bluesq.com
**********************************************************************


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041022/0c3dbfff/attachment.html>


More information about the Snort-users mailing list