[Snort-users] snort using rpcap in windows

Al Lewis (allewi) allewi at ...589...
Tue Feb 17 07:17:52 EST 2015


Take a look at the README file included with the DAQ:

PCAP Module
===========

pcap is the default DAQ.  If snort is run w/o any DAQ arguments, it will
operate as it always did using this module.  These are equivalent:

    ./snort -i <device>
    ./snort -r <file>

    ./snort --daq pcap --daq-mode passive -i <device>
    ./snort --daq pcap --daq-mode read-file -r <file>



You need to use the “–daq-mode read-file” if you are going to use pcap mode with the daq.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Eugene Grama [mailto:eugene.grama at ...11827...]
Sent: Tuesday, February 17, 2015 4:28 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort using rpcap in windows

I tried to search on google, but still with no luck, but I'm always bumping into this file

http://snort.sourcearchive.com/documentation/2.8.5.2/remote-ext_8h-source.html

http://snort.sourcearchive.com/documentation/2.8.5.2/group__remote__source__string.html
I'm not sure what is this for, and i cannot even locate this remote-exe.h file in my machine (if this is a file)
Thank you and best regards,
eugene

On Tue, Feb 17, 2015 at 5:19 PM, Eugene Grama <eugene.grama at ...11827...<mailto:eugene.grama at ...11827...>> wrote:
Hello again,
I had used this command and it is working and collecting packets

dumpcap -i rpcap://[xx.xx.xx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} -w c:\dumpcap.log
i need this traffic to pass through snort so that it will generate alert
how can be this done? any advice?


Thank you and best regards,
eugene

On Tue, Feb 17, 2015 at 2:24 PM, Eugene Grama <eugene.grama at ...11827...<mailto:eugene.grama at ...11827...>> wrote:

Hello,

Can snort run using rpcap? I'm trying this command, but not successful

snort -c c:\Snort\etc\snort.conf -l c:\Snort\log --daq pcap --daq-mode inline -i rpcap://[xx.xxx.xxx.xx]:2002/\Device\NPF_{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}

I run on ERROR:pcap does not support inline

run command snort --daq-list; the result is Available DAQ modules: pcap(v3): readback live multi unpriv

Please help, how can i connect and collect data to my remote machine (Windows web server)
--
Thank you and Best regards,

Eugene




--
Thank you and Best regards,

Eugene



--
Thank you and Best regards,

Eugene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150217/cd4eb72d/attachment.html>


More information about the Snort-users mailing list