Snort mailing list archives
Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing"
From: Matt Lenco <mattlenco () yahoo com>
Date: Tue, 21 Dec 2010 09:21:42 -0800 (PST)
Pulled it from the site two weeks ago....
Snort! <*-
Version 2.9.0.2-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 92) By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 8.10 2010-06-25 Using ZLIB version: 1.2.3 ________________________________ From: Joel Esler <jesler () sourcefire com> To: Matt Lenco <mattlenco () yahoo com> Cc: snort-users () lists sourceforge net Sent: Tue, December 21, 2010 12:14:55 PM Subject: Re: [Snort-users] -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" It does on my box, what version of Snort are you running? --pcap-single <tf> Same as -r. --pcap-file <file> file that contains a list of pcaps to read - read mode is implied. --pcap-list "<list>" a space separated list of pcaps to read - read mode is implied. --pcap-dir <dir> a directory to recurse to look for pcaps - read mode is implied. --pcap-filter <filter> filter to apply when getting pcaps from file or directory. --pcap-no-filter reset to use no filter when getting pcaps from file or directory. --pcap-loop <count> this option will read the pcaps specified on command line continuously. for <count> times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap. --pcap-show print a line saying what pcap is currently being read. J On Dec 21, 2010, at 12:13 PM, Matt Lenco wrote: Joel
Why doesn't SNORT show -pcap-dir= as an option? --dynamic-preprocessor-lib <file> Load a dynamic preprocessor library --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory --pcap-single <tf> Same as -r. --pcap-file <file> file that contains a list of pcaps to read - read mode is implied. --pcap-list "<list>" a space separated list of pcaps to read - read mode is implied. --pcap-loop <count> this option will read the pcaps specified on command line continuously. for <count> times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap. --pcap-show print a line saying what pcap is currently being read. --exit-check <count> Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it takes from signaling until DAQ_Stop() is called.
________________________________ From: Joel Esler <jesler () sourcefire com>
To: Matt Lenco <mattlenco () yahoo com> Cc: snort-users () lists sourceforge net Sent: Tue, December 21, 2010 11:51:47 AM Subject: Re: [Snort-users] -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" I just did the same thing (except with 87 pcaps in one directory) on my Linux box and it ran in about 2 minutes. J On Dec 21, 2010, at 11:44 AM, Matt Lenco wrote: JoelI am doing a test of just three Wireshark pcap files, basically two copies of a file, 86KB. It has been now for 7 minutes. Commencing packet processing (pid=3044) *** Caught Int-Signal ===============================================================================
Run time for packet processing was 446.27000 seconds Snort processed 0 packets. Snort ran for 0 days 0 hours 7 minutes 26 seconds Pkts/min: 0 Pkts/sec: 0
________________________________ From: Joel Esler <jesler () sourcefire com>
To: Matt Lenco <mattlenco () yahoo com> Cc: snort-users () lists sourceforge net Sent: Tue, December 21, 2010 11:33:45 AM Subject: Re: [Snort-users] -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Define "Forever"? When loading a large directory of pcaps, Snort may take awhile to run. Joel On Dec 21, 2010, at 11:26 AM, Matt Lenco wrote:Putting a known file to generate alerts in SNORT into the C:\Network_Device_Logs location then running the commands below, a log file is created and alerts are sent to Kiwi Syslog, perfect! Since I have 1400 files to process I thought I would test reading three from a directory at once. I made three copies of the known bad file and renamed them #2 and #3 then ran the second set of commands. C:\Users\Mo>snort -devr c:\Network_Device_Logs\unicode_hack.pcap -c c:\snort\etc\snort.conf -l c:\snort\log -L test -s C:\Users\Mo>snort -pcap-dir=c:\Network_Device_Logs -pcap-show -c c:\snort\etc\snort.conf -l c:\snort\log -L test -s However, when I run the commmand below, SNORT initializes but just sits at the Commencing packet processing (PID=5132) forever. A log file is created but no alerts are seen. It looks like it isn't reading any files unless I do it manually as above. Has anyone seen this, know what may be the problem and how to correct it? Note: I pulled the commands from http://www.procyonlabs.com/snort_manual/2.9/node8.html When I try to locate the proper command line I see that -pcap-dir doesn't exist... C:\Users\Mo>snort --pcap snort: option `--pcap' is ambiguous snort: option `--pcap' is ambiguous ,,_ -*> Snort! <*- o" )~ Version 2.9.0.2-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 92) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 8.10 2010-06-25 Using ZLIB version: 1.2.3 USAGE: snort [-options] <filter options> snort /SERVICE /INSTALL [-options] <filter options> snort /SERVICE /UNINSTALL snort /SERVICE /SHOW Options: -A Set alert mode: fast, full, console, test or none (alert file alerts only) -b Log packets in tcpdump format (much faster!) -B <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask -c <rules> Use Rules File <rules> -C Print out payloads with character data only (no hex) -d Dump the Application Layer -e Display the second layer header info -E Log alert messages to NT Eventlog. (Win32 only) -f Turn off fflush() calls after binary log writes -F <bpf> Read BPF filters from file <bpf> -G <0xid> Log Identifier (to uniquely id events for multiple snorts) -h <hn> Set home network = <hn> (for use with -l or -B, does NOT change $HOME_NET in IDS mode) -H Make hash tables deterministic. -i <if> Listen on interface <if> -I Add Interface name to alert output -k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none) -K <mode> Logging mode (pcap[default],ascii,none) -l <ld> Log to directory <ld> -L <file> Log to this tcpdump file -n <cnt> Exit after receiving <cnt> packets -N Turn off logging (alerts still work) -O Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing -P <snap> Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -r <tf> Read and process tcpdump file <tf> -R <id> Include 'id' in snort_intf<id>.pid file name -s Log alert messages to syslog -S <n=v> Set rules file variable n equal to value v -T Test and report on the current Snort configuration -U Use UTC for timestamps -v Be verbose -V Show version number -W Lists available interfaces. (Win32 only) -X Dump the raw packet data starting at the link layer -x Exit if Snort configuration problems occur -y Include year in timestamp in the alert and log files -Z <file> Set the performonitor preprocessor file path and name -? Show this information <Filter Options> are standard BPF options, as seen in TCPDump Longname options and their corresponding single char version --logid <0xid> Same as -G --perfmon-file <file> Same as -Z --pid-path <dir> Specify the directory for the Snort PIDfile--snaplen <snap> Same as -P --help Same as -? --version Same as -V --alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,... --treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup --treat-drop-as-ignore Use drop, sdrop, and reject rules to ignore session traffic when not inline. --process-all-events Process all queued events (drop, alert,...), default stops after 1st action group --enable-inline-test Enable Inline-Test Mode Operation --dynamic-engine-lib <file> Load a dynamic detection engine --dynamic-engine-lib-dir <path> Load all dynamic engines from directory --dynamic-detection-lib <file> Load a dynamic rules library --dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory --dump-dynamic-rules <path> Creates stub rule files of all loaded rules libraries --dynamic-preprocessor-lib <file> Load a dynamic preprocessor library --dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries from directory --pcap-single <tf> Same as -r. --pcap-file <file> file that contains a list of pcaps to read - read mode is implied. --pcap-list "<list>" a space separated list of pcaps to read - read mode is implied. --pcap-loop <count> this option will read the pcaps specified on command line continuously. for <count> times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap. --pcap-show print a line saying what pcap is currently being read. --exit-check <count> Signal termination after <count> callbacks from DAQ_Acquire(), showing the time it takes from signaling until DAQ_Stop() is called. --conf-error-out Same as -x --enable-mpls-multicast Allow multicast MPLS --enable-mpls-overlapping-ip Handle overlapping IPs within MPLS clouds --max-mpls-labelchain-len Specify the max MPLS label chain --mpls-payload-type Specify the protocol (ipv4, ipv6, ethernet) that is encapsulated by MPLS --require-rule-sid Require that all snort rules have SID specified. --daq <type> Select packet acquisition module (default is pcap). --daq-mode <mode> Select the DAQ operating mode. --daq-var <name=value> Specify extra DAQ configuration variable. --daq-dir <dir> Tell snort where to find desired DAQ. --daq-list [<dir>] List packet acquisition modules available in dir. ------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google
Apps:
an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Matt Lenco (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Joel Esler (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Matt Lenco (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Joel Esler (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Matt Lenco (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Joel Esler (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Matt Lenco (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Joel Esler (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Matt Lenco (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Joel Esler (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Joel Esler (Dec 22)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Matt Lenco (Dec 21)
- Re: -pcap-dir=c:\Network_Device_Logs -pcap-show isn't working, hangs at "commencing packet processing" Joel Esler (Dec 21)