Snort mailing list archives
Re: Get one specific attack dump from snort dump file.
From: Joel Esler <joel.esler () sourcefire com>
Date: Sat, 5 Jan 2008 10:57:10 -0500
You can use Snort or tcpdump to read the pcap files back. use the -r tag in order to read the contents of the file. For example. Snort -r snort_tcpdump.log J On Sat, Jan 05, 2008 at 11:28:22AM -0200, it looks like Jorge Luiz CorrĂȘa sent me:
Hello World. This is my first post. I have looked for in the last time a manner to get one specific attack information from the snort dump file. So, I didn't find it. :/ For example, my snort is configured to gather packets on snort_tcpdump.log and alerts on alert.log. When I see one alert in alert.log, I need to get the packets from snort_tcpdump.log related to this alert. Someone can help me? Do exist one possibility to do this? For example, I need a system very similar to that present in Honeywall CDROM (Honeynet Project). In this tool is possible to visualize the occurrences of alerts. By clicking on alerts we can choose a 'decode packets' option that show exactly the packets of this alert. Is there an option like this on snort or tcpdump? I think this operation is performed by a set os perl scripts on Honeywall tool. Thank for all. :) ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Get one specific attack dump from snort dump file. Jorge Luiz CorrĂȘa (Jan 05)
- Re: Get one specific attack dump from snort dump file. Joel Esler (Jan 05)