Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Get one specific attack dump from snort dump file.

From: Joel Esler <joel.esler () sourcefire com>
Date: Sat, 5 Jan 2008 10:57:10 -0500
You can use Snort or tcpdump to read the pcap files back.

use the -r tag in order to read the contents of the file.

For example.  Snort -r snort_tcpdump.log

J


On Sat, Jan 05, 2008 at 11:28:22AM -0200, it looks like Jorge Luiz CorrĂȘa sent me:

Hello World. This is my first post.

I have looked for in the last time a manner to get one specific attack 
information from the snort dump file. So, I didn't find it. :/

For example, my snort is configured to gather packets on 
snort_tcpdump.log and alerts on alert.log. When I see one alert in 
alert.log, I need to get the packets from snort_tcpdump.log related to 
this alert. Someone can help me? Do exist one possibility to do this?

For example, I need a system very similar to that present in Honeywall 
CDROM (Honeynet Project). In this tool is possible to visualize the 
occurrences of alerts. By clicking on alerts we can choose a 'decode 
packets' option that show exactly the packets of this alert.

Is there an option like this on snort or tcpdump? I think this operation 
is performed by a set os perl scripts on Honeywall tool.

Thank for all.
:)

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: