[Snort-users] SNORT not saving pcap file

waldo kitty wkitty42 at ...14940...
Thu Oct 25 20:45:39 EDT 2012


On 10/25/2012 19:18, jtravlos at ...15803... wrote:
> When I do the command, a file shows up in the folder, but then disappears when I
> stop SNORT.

"a file"?? what file? what is the name?

> It appears when I use snort.conf, it won't save the file.

this sounds like possibly some kind of clean up from your script that executes 
snort... more info is needed :/

>
>     *From:* Joel Esler [mailto:jesler at ...1935...]
>     *Sent:* Thursday, October 25, 2012 03:18 PM
>     *To:* jtravlos at ...15803...
>     *Cc:* snort-users at lists.sourceforge.net
>     *Subject:* Re: [Snort-users] SNORT not saving pcap file
>
>     Your command line is overriding your .conf
>
>     Try
>
>     ./snort -i dag0:0 -c /etc/snort.snort.conf
>
>     --
>     *Joel Esler*
>     Senior Research Engineer, VRT
>     OpenSource Community Manager
>     Sourcefire
>
>     On Oct 25, 2012, at 2:54 PM, jtravlos at ...15803...
>     <mailto:jtravlos at ...15803...> wrote:
>
>>     I'm running snort 2.9.3.1 on CentOS 6.3 capturing traffic via Endace DAG
>>     card. I want to save to a file (pcap format) the traffic that it sees. I
>>     know in snort.conf there are some settings, but it does not appears to
>>     save the file. When ever I use the snort.conf, it is not saved.
>>
>>     The settings are:
>>     config logdir: /data/snortlog
>>
>>     # pcap
>>     output log_tcpdump: tcpdump.log
>>
>>     The command I'm using to start snort:
>>
>>     ./snort -d -b -i dag0:0 -c /etc/snort/snort.conf
>>
>>     If I use this, I get a file that tcpdump can read, but no detail packet info.
>>
>>     ./snort -d -b -i dag0:0 -l /data/snortlog -L tcpdump.log
>>
>>
>>     Attached is the snort.conf.
>>
>>     Any suggestions? What am I doing wrong?
>>
>>     Thanks,
>>
>>     John Travlos





More information about the Snort-users mailing list