Neil
2005-03-06 23:09:10 UTC
This is a multi-part message in MIME format.
------=_NextPart_000_0000_01C52277.AC14E3F0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
snort users list:
I am new to snort.
I am running snort on a windows XP box (sorry my *nix boxes are currently
offline).
How do I simultaneously read a tcpdump file and output this same file to csv
(for Excel use)?
I can read the tcpdump file
F:\snort\bin>snort -r file.pcap
and I have added the following to snort.conf
output alert_CSV: F:\Snort\log\alert.csv
timestamp,msg,proto,src,srcport,dst,dstport
However, How do I combine both actions at once?
When I run F:\snort\bin>snort -r file.pcap a csv file never materializes.
I've read through several email archives, and did not quite see this issue,
and tried a few things from answers to other questions with no luck.
Thanks
-neil
------=_NextPart_000_0000_01C52277.AC14E3F0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>snort users =
list:<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I am new to =
snort.<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I am running snort on a =
windows XP
box (sorry my *nix boxes are currently =
offline).<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>How do I simultaneously =
read a
tcpdump file and output this same file to csv (for Excel =
use)?<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I can read the tcpdump =
file<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>F:\snort\bin>snort =
-r file.pcap <o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>and I have added the =
following to
snort.conf<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>output alert_CSV:
F:\Snort\log\alert.csv =
timestamp,msg,proto,src,srcport,dst,dstport<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>However, How do I combine =
both
actions at once?<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>When I run =
F:\snort\bin>snort -r
file.pcap a csv file never =
materializes.<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I've read through several =
email
archives, and did not quite see this issue, and tried a few things from =
answers
to other questions with no luck.<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Thanks<o:p></o:p></span></fo=
nt></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>-neil<o:p></o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_0000_01C52277.AC14E3F0--
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-***@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------=_NextPart_000_0000_01C52277.AC14E3F0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
snort users list:
I am new to snort.
I am running snort on a windows XP box (sorry my *nix boxes are currently
offline).
How do I simultaneously read a tcpdump file and output this same file to csv
(for Excel use)?
I can read the tcpdump file
F:\snort\bin>snort -r file.pcap
and I have added the following to snort.conf
output alert_CSV: F:\Snort\log\alert.csv
timestamp,msg,proto,src,srcport,dst,dstport
However, How do I combine both actions at once?
When I run F:\snort\bin>snort -r file.pcap a csv file never materializes.
I've read through several email archives, and did not quite see this issue,
and tried a few things from answers to other questions with no luck.
Thanks
-neil
------=_NextPart_000_0000_01C52277.AC14E3F0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>snort users =
list:<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I am new to =
snort.<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I am running snort on a =
windows XP
box (sorry my *nix boxes are currently =
offline).<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>How do I simultaneously =
read a
tcpdump file and output this same file to csv (for Excel =
use)?<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I can read the tcpdump =
file<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>F:\snort\bin>snort =
-r file.pcap <o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>and I have added the =
following to
snort.conf<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>output alert_CSV:
F:\Snort\log\alert.csv =
timestamp,msg,proto,src,srcport,dst,dstport<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>However, How do I combine =
both
actions at once?<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>When I run =
F:\snort\bin>snort -r
file.pcap a csv file never =
materializes.<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></fo=
nt></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>I've read through several =
archives, and did not quite see this issue, and tried a few things from =
answers
to other questions with no luck.<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>Thanks<o:p></o:p></span></fo=
nt></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>-neil<o:p></o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_0000_01C52277.AC14E3F0--
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-***@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users