Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing"

[Matt Lenco <mattlenco () yahoo com>]

Pulled it from the site two weeks ago....
> Snort! <*-
  Version 2.9.0.2-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 92)
  By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
        Copyright (C) 1998-2010 Sourcefire, Inc., et al.
        Using PCRE version: 8.10 2010-06-25
        Using ZLIB version: 1.2.3




________________________________
From: Joel Esler <jesler () sourcefire com>
To: Matt Lenco <mattlenco () yahoo com>
Cc: snort-users () lists sourceforge net
Sent: Tue, December 21, 2010 12:14:55 PM
Subject: Re: [Snort-users] -pcap-dir=c:\Network_Device_Logs -pcap-show isn't 
working, hangs at "commencing packet processing"

It does on my box, what version of Snort are you running?

--pcap-single <tf>              Same as -r.
   --pcap-file <file>              file that contains a list of pcaps to read - 
read mode is implied.
   --pcap-list "<list>"            a space separated list of pcaps to read - 
read mode is implied.
   --pcap-dir <dir>                a directory to recurse to look for pcaps - 
read mode is implied.
   --pcap-filter <filter>          filter to apply when getting pcaps from file 
or directory.
   --pcap-no-filter                reset to use no filter when getting pcaps 
from file or directory.
   --pcap-loop <count>             this option will read the pcaps specified on 
command line continuously.
                                   for <count> times.  A value of 0 will read 
until Snort is terminated.
   --pcap-reset                    if reading multiple pcaps, reset snort to 
post-configuration state before reading next pcap.
   --pcap-show                     print a line saying what pcap is currently 
being read.


J

On Dec 21, 2010, at 12:13 PM, Matt Lenco wrote:

Joel
> Why doesn't SNORT show -pcap-dir= as an option?
>
>   --dynamic-preprocessor-lib <file>  Load a dynamic preprocessor library
>   --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries 
> from directory
>   --pcap-single <tf>              Same as -r.
>   --pcap-file <file>              file that contains a list of pcaps to read - 
> read mode is implied.
>   --pcap-list "<list>"            a space separated list of pcaps to read - 
> read mode is implied.
>   --pcap-loop <count>             this option will read the pcaps specified on 
> command line continuously.
>                                          for <count> times.  A value of 0 will 
> read until Snort is terminated.
>   --pcap-reset                    if reading multiple pcaps, reset snort to 
> post-configuration state before reading next pcap.
>   --pcap-show                     print a line saying what pcap is currently 
> being read.
>   --exit-check <count>            Signal termination after <count> callbacks 
> from DAQ_Acquire(), showing the time it
>                                          takes from signaling until DAQ_Stop() 
> is called.
________________________________
From: Joel Esler <jesler () sourcefire com>
> To: Matt Lenco <mattlenco () yahoo com>
> Cc: snort-users () lists sourceforge net
> Sent: Tue, December 21, 2010 11:51:47 AM
> Subject: Re: [Snort-users] -pcap-dir=c:\Network_Device_Logs -pcap-show isn't 
> working, hangs at "commencing packet processing"
>
> I just did the same thing (except with 87 pcaps in one directory) on my Linux 
> box and it ran in about 2 minutes.
>
>
> J
>
>
> On Dec 21, 2010, at 11:44 AM, Matt Lenco wrote:
>
> Joel
> > I am doing a test of just three Wireshark pcap files, basically two copies of a 
> > file, 86KB. It has been now for 7 minutes.
> >
> > Commencing packet processing (pid=3044)
> > *** Caught Int-Signal
> > ===============================================================================

> > Run time for packet processing was 446.27000 seconds
> > Snort processed 0 packets.
> > Snort ran for 0 days 0 hours 7 minutes 26 seconds
> >   Pkts/min:            0
> >   Pkts/sec:            0
________________________________
From: Joel Esler <jesler () sourcefire com>
> > To: Matt Lenco <mattlenco () yahoo com>
> > Cc: snort-users () lists sourceforge net
> > Sent: Tue, December 21, 2010 11:33:45 AM
> > Subject: Re: [Snort-users] -pcap-dir=c:\Network_Device_Logs -pcap-show isn't 
> > working, hangs at "commencing packet processing"
> >
> > Define "Forever"?
> >
> >
> > When loading a large directory of pcaps, Snort may take awhile to run.
> >
> >
> > Joel
> >
> >
> > On Dec 21, 2010, at 11:26 AM, Matt Lenco wrote:
> >
> >
> > > Putting a known file to generate alerts in SNORT into the C:\Network_Device_Logs 
> > > location then running the commands below, a log file is created and alerts are 
> > > sent to Kiwi Syslog, perfect! Since I have 1400 files to process I thought I 
> > > would test reading three from a directory at once. I made three copies of the 
> > > known bad file and renamed them #2 and #3 then ran the second set of commands.
> > >
> > > C:\Users\Mo>snort -devr c:\Network_Device_Logs\unicode_hack.pcap -c 
> > > c:\snort\etc\snort.conf -l c:\snort\log -L test -s
> > >
> > > C:\Users\Mo>snort -pcap-dir=c:\Network_Device_Logs -pcap-show -c 
> > > c:\snort\etc\snort.conf -l c:\snort\log  -L test -s
> > >
> > > However, when I run the commmand below, SNORT initializes but just sits at the 
> > > Commencing packet processing (PID=5132) forever. A log file is created but no 
> > > alerts are seen.  It looks like it isn't reading any files unless I do it 
> > > manually as above.
> > >
> > > Has anyone seen this, know what may be the problem and how to correct it?
> > >
> > > Note: I pulled the commands 
> > > from http://www.procyonlabs.com/snort_manual/2.9/node8.html
> > >
> > >
> > > When I try to locate the proper command line I see that -pcap-dir doesn't 
> > > exist...
> > > C:\Users\Mo>snort --pcap
> > > snort: option `--pcap' is ambiguous
> > > snort: option `--pcap' is ambiguous
> > >
> > >   ,,_     -*> Snort! <*-
> > >  o"  )~   Version 2.9.0.2-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 92)
> > >   ''''    By Martin Roesch & The Snort 
> > > Team: http://www.snort.org/snort/snort-team
> > >           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> > >           Using PCRE version: 8.10 2010-06-25
> > >           Using ZLIB version: 1.2.3
> > >
> > > USAGE: snort [-options] <filter options>
> > >       snort /SERVICE /INSTALL [-options] <filter options>
> > >       snort /SERVICE /UNINSTALL
> > >       snort /SERVICE /SHOW
> > > Options:
> > >        -A         Set alert mode: fast, full, console, test or none  (alert 
> > > file alerts only)
> > >        -b         Log packets in tcpdump format (much faster!)
> > >        -B <mask>  Obfuscated IP addresses in alerts and packet dumps using CIDR 
> > > mask
> > >        -c <rules> Use Rules File <rules>
> > >        -C         Print out payloads with character data only (no hex)
> > >        -d         Dump the Application Layer
> > >        -e         Display the second layer header info
> > >        -E         Log alert messages to NT Eventlog. (Win32 only)
> > >        -f         Turn off fflush() calls after binary log writes
> > >        -F <bpf>   Read BPF filters from file <bpf>
> > >        -G <0xid>  Log Identifier (to uniquely id events for multiple snorts)
> > >        -h <hn>    Set home network = <hn>
> > >                   (for use with -l or -B, does NOT change $HOME_NET in IDS 
> > > mode)
> > >        -H         Make hash tables deterministic.
> > >        -i <if>    Listen on interface <if>
> > >        -I         Add Interface name to alert output
> > >        -k <mode>  Checksum mode (all,noip,notcp,noudp,noicmp,none)
> > >        -K <mode>  Logging mode (pcap[default],ascii,none)
> > >        -l <ld>    Log to directory <ld>
> > >        -L <file>  Log to this tcpdump file
> > >        -n <cnt>   Exit after receiving <cnt> packets
> > >        -N         Turn off logging (alerts still work)
> > >        -O         Obfuscate the logged IP addresses
> > >        -p         Disable promiscuous mode sniffing
> > >        -P <snap>  Set explicit snaplen of packet (default: 1514)
> > >        -q         Quiet. Don't show banner and status report
> > >        -r <tf>    Read and process tcpdump file <tf>
> > >        -R <id>    Include 'id' in snort_intf<id>.pid file name
> > >        -s         Log alert messages to syslog
> > >        -S <n=v>   Set rules file variable n equal to value v
> > >        -T         Test and report on the current Snort configuration
> > >        -U         Use UTC for timestamps
> > >        -v         Be verbose
> > >        -V         Show version number
> > >        -W         Lists available interfaces. (Win32 only)
> > >        -X         Dump the raw packet data starting at the link layer
> > >        -x         Exit if Snort configuration problems occur
> > >        -y         Include year in timestamp in the alert and log files
> > >        -Z <file>  Set the performonitor preprocessor file path and name
> > >        -?         Show this information
> > > <Filter Options> are standard BPF options, as seen in TCPDump
> > > Longname options and their corresponding single char version
> > >   --logid <0xid>                  Same as -G
> > >   --perfmon-file <file>           Same as -Z
> > >   --pid-path <dir>                Specify the directory for the Snort PID 
> file
> > >   --snaplen <snap>                Same as -P
> > >   --help                          Same as -?
> > >   --version                       Same as -V
> > >   --alert-before-pass             Process alert, drop, sdrop, or reject before 
> > > pass, default is pass before alert, drop,...
> > >   --treat-drop-as-alert           Converts drop, sdrop, and reject rules into 
> > > alert rules during startup
> > >   --treat-drop-as-ignore          Use drop, sdrop, and reject rules to ignore 
> > > session traffic when not inline.
> > >   --process-all-events            Process all queued events (drop, alert,...), 
> > > default stops after 1st action group
> > >   --enable-inline-test            Enable Inline-Test Mode Operation
> > >   --dynamic-engine-lib <file>     Load a dynamic detection engine
> > >   --dynamic-engine-lib-dir <path> Load all dynamic engines from directory
> > >   --dynamic-detection-lib <file>  Load a dynamic rules library
> > >   --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from 
> > > directory
> > >   --dump-dynamic-rules <path>     Creates stub rule files of all loaded rules 
> > > libraries
> > >   --dynamic-preprocessor-lib <file>  Load a dynamic preprocessor library
> > >   --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries 
> > > from directory
> > >   --pcap-single <tf>              Same as -r.
> > >   --pcap-file <file>              file that contains a list of pcaps to read - 
> > > read mode is implied.
> > >   --pcap-list "<list>"            a space separated list of pcaps to read - 
> > > read mode is implied.
> > >   --pcap-loop <count>             this option will read the pcaps specified on 
> > > command line continuously.
> > >                                   for <count> times.  A value of 0 will read 
> > > until Snort is terminated.
> > >   --pcap-reset                    if reading multiple pcaps, reset snort to 
> > > post-configuration state before reading next pcap.
> > >   --pcap-show                     print a line saying what pcap is currently 
> > > being read.
> > >   --exit-check <count>            Signal termination after <count> callbacks 
> > > from DAQ_Acquire(), showing the time it
> > >                                   takes from signaling until DAQ_Stop() is 
> > > called.
> > >   --conf-error-out                Same as -x
> > >   --enable-mpls-multicast         Allow multicast MPLS
> > >   --enable-mpls-overlapping-ip    Handle overlapping IPs within MPLS clouds
> > >   --max-mpls-labelchain-len       Specify the max MPLS label chain
> > >   --mpls-payload-type             Specify the protocol (ipv4, ipv6, ethernet) 
> > > that is encapsulated by MPLS
> > >   --require-rule-sid              Require that all snort rules have SID 
> > > specified.
> > >   --daq <type>                    Select packet acquisition module (default is 
> > > pcap).
> > >   --daq-mode <mode>               Select the DAQ operating mode.
> > >   --daq-var <name=value>          Specify extra DAQ configuration variable.
> > >   --daq-dir <dir>                 Tell snort where to find desired DAQ.
> > >   --daq-list [<dir>]              List packet acquisition modules available in 
> > > dir.
> > >
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------

> > > Forrester recently released a report on the Return on Investment (ROI) of
> > > Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
> > > within 7 months.  Over 3 million businesses have gone Google with Google 
Apps:
> > > an online email calendar, and document program that's accessible from your 
> > > browser. Read the Forrester 
> > > report: http://p.sf.net/sfu/googleapps-sfnew_______________________________________________
> > >
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your 
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users