[Snort-users] Snort read a incremental file

Joel Esler (jesler) jesler at ...589...
Mon Jan 30 10:46:49 EST 2017


Is there a particular reason that you are doing it this way, or can you just read directly from the network interface?

--
Joel Esler | Talos: Manager | jesler at ...589... <mailto:jesler at ...589...>






> On Jan 30, 2017, at 10:42 AM, Paul Li <paul at ...17768...> wrote:
> 
> Thanks Felix. That works well for my issue. Much appreciated.
> 
> A follow up question: if I have a multiple pipes like this one, would there be any order how snort reads them?
> 
> Thanks,
> Paul
> 
> On Saturday, January 28, 2017, Felix Erlacher <felix.erlacher at ...17726... <mailto:felix.erlacher at ...17726...>> wrote:
> Hi Paul,
> 
> On a decent OS you can write pcap data to a named pipe and make snort
> read form that named pipe. That might be a solution in your case.
> 
> Example on Debian:
> #mkfifo mypipe
> than make your program write data to that file, and with snort simply
> #snort -c snort.conf -r ./mypipe
> 
> greets
> 
> felix
> 
> On 28/01/17 14:52, Paul Li wrote:
> > I've got a pcap file that keep adding new network data. I know Snort can
> > read a file, but is there a way Snort can read the continuously added
> > data to the file?
> >
> > Thanks,
> > Paul
> >
> >
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot <http://sdm.link/slashdot>
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net <javascript:;>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
> >
> > Please visit http://blog.snort.org <http://blog.snort.org/> to stay current on all the latest Snort news!
> >
> 
> --
> Felix Erlacher
> ccs-labs.org/~erlacher <http://ccs-labs.org/~erlacher>
> 
> Key-ID:4EAC0959
> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170130/b1d2bbba/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170130/b1d2bbba/attachment.sig>


More information about the Snort-users mailing list