[Snort-users] Pcap filename from --pcap-dir?

beenph beenph at ...11827...
Sat Jan 5 10:11:50 EST 2013


On Sat, Jan 5, 2013 at 9:23 AM, Andre DiMino <adimino at ...16035...>
wrote:
>
> I often run snort against a directory of dumped pcaps from sandbox
> output using the --pcap-dir option. I output the entire run in csv
> format.
> Ideally, I'd like to include the name of the pcap or other identifying
> information in the csv output.
>
> I know I could script something to read one file at a time and output
> it that way, but I'm looking to make better use of the --pcap-dir
> option in an automated bulk process.
> Has anyone done something similar who can shed some ideas?
>
> Thanks!
> Andre'


If your pcaps have a daemonlogger type format
eg: daemonlogger.pcap.timestamp (timestamp or incremental value)
You can use https://github.com/binf/DAQ_PCAP_SPOOLER i wrote.
Note that filename prefix is configurable
-elz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130105/50fc32d6/attachment.html>


More information about the Snort-users mailing list