SNORT: Cara membaca snort.log file

From OnnoWiki
Revision as of 09:49, 15 March 2017 by Onnowpurbo (talk | contribs) (Created page with "Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch01s20.html 1.19. Reading a Saved Capture File Problem You have a binary capture file that...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sumber: https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch01s20.html


1.19. Reading a Saved Capture File Problem

You have a binary capture file that you want to read. For example, a file that was captured with Snort using the binary option, TCPDump, or Ethereal. Solution

Use the -r <filename> option to read a capture file, whether from Snort, TCPDump, Ethereal, or any other program that creates a libpcap format file:

snort -dv -r /var/log/snort/snort.log.1085148255

Discussion

Snort can read capture files that have been saved using the libpcap format. Snort reads its own saved capture files, as well as binary capture files from sniffer programs, such as TCPDump and Ethereal. Snort reads capture files by using the -r <filename> command-line option, which puts it into playback mode. You must specify the logfile path and name as a parameter to the -r option. The following is an example of reading the binary file snort.log.1085148255:

snort -dv -r /var/log/snort/snort.log.1085148255

The following command reads the binary file snort.log.1085148255 and logs all traffic in ASCII format in the appropriate directories:

snort -r /var/log/snort/snort.log.1085148255 -l ~/log.txt

The following command reads the binary file snort.log.108514825 and processes the traffic according to the parameters in the snort.conf file. It looks for any traffic that matches the signatures in the rules files:

snort -r /var/log/snort/snort.log.1085148255 -l ~/log -c /etc/snort/snort.conf

The following command reads the binary file snort.log.1085148255 and displays only the TCP traffic to the screen:

snort -dv -r /var/log/snort/snort.log.1085148255 tcp

When processing capture files, Snort can be used in any of its three modes; sniffer, packet logger, and NIDS. The first example displays the logfile packets to the screen. You can also choose to log them to ASCII files or run the file through the rules engine. You can also use the command-line filters to look for certain packets as you process the logfile, such as TCP packets.



Referensi