At 06:09 PM 11/29/2004, Breno Leitão wrote:
leitao@anthem:~/snort/snort-2.3.0RC1/src$ ./snort -c snort.conf -l /tmp -r
~/tmp/pflog.2
<snip>
What is wrong with that? Does snort understand the pf log format?
No, snort doesn't understand any textual log formats at all, including pf.
The manpage is pretty clear about what kind of format -r expects. It
expects a tcpdump format file.
It also doesn't expect a copy of tcpdump's text-mode output, it expects a
tcpdump capture file generated with tcpdump -w. Such files are binary
files, not text. They are more-or-less a capture of the packets in their
raw format, just dumped to disk instead of in memory, so it's pretty easy
for snort to parse.
Reconstructing a packet from an ascii mode logfile is a considerable feat,
if it's even possible (not all log formats dump the entire packet contents,
does PF?)
From the snort manpage:
-r tcpdump-file
Read the tcpdump-formatted file tcpdump-file. This
will cause Snort to read and process the file fed
to it. This is useful if, for instance, you've got
a bunch of SHADOW files that you want to process
for content, or even if you've got a bunch of
reassembled packet fragments which have been writ-
ten into a tcpdump formatted file.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
