|
|
|
|
Snort Forums Archive
Archive Home » Snort Newbies » reading output log from -b mode
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
reading output log from -b mode
Posted by DavyCrockett on March 14, 2005 05:03:28
I have run snort on a tcpdump using the -b mode and this has led me to two questions:
1) Is there some simple way to do a comparison between the original tcpdump file and the produced binary?
2) I have written a program that parses a standard tcpdump (using the tcp/udp standard header info) and it outputs this info into a comma delimited form. Is it possible to do something similar with the snort binary output and to add a tag for each snort classification (i.e. 1 for TCP port scan, 2 for Bare Byte Unicode Encoding)? Has anybody done this or have any advice on this?
Thanks in advance for your help |
|
Posted by DavyCrockett on March 14, 2005 20:04:32
How about this question:
Does anybody know the location (in bytes) of sig_id? |
|
Posted by roesch on March 19, 2005 17:44:26
You ran a pcap file from tcpdump through Snort in binary logging mode? Did you perform intrusion analysis on this file (i.e. load a snort.conf file) or did you just run 'snort -r -l . -b'? That's essentially the 'cp' command implemented in 93,000 lines of C code...
Check out the Snort unified format and the Barnyard program, I think this does exactly what you're talking about in your second question.
-Marty
|
|
|
|
|
|
