Snort mailing list archives

Previous By Date Next
Previous By Thread Next

logtopcap: a snort unified log to pcap file tool.

From: Dragos Ruiu <dr () dursec com>
Date: Sun, 18 Aug 2002 05:44:31 +0000
Someone asked me for a tool to convert snort 
unified log files to pcap files. I needed some output 
file diagnostic tools myself. So I built a small utility
program.

This may be of interest to others too... so you are reading this. :-)

The program below converts snort unified log files into pcap files 
suitable for reading with tcpdump, snort, and ethereal. Barnyard 
also can be used for this function but but this utility is a little 
faster and doesn't have to be configured, it will automagically 
determine input format and process accordingly. The diagnostic 
dumps also give complete unabridged human readable packets 
and file contents without skipping any fields (b.y. may do this 
too in some mode but I haven't played with it).

Build instructions: 
        cc -o logtopcap logtopcap.c

Usage:
        logtopcap <snort.log.filename> <pcap.filename>

It will also produce diagnostic human readable text dumps 
of all the input file formats if you give it a third dumpfile argument.

logtopcap <snort.log.filename> <pcap.filename> [dumpfile]

Logtopcap will process the following input formats:

        Snort 1.x Unified Log Files
        Snort 1.x Unified Alert Files (*)
        Snort 2.x Unified Log/Alert Files
        Pcap Files (not funny redhat ones yet tho :) (**)

(*)(Note 1: Snort 1.x Alert files contain no packets so no pcap data 
willl be output but the data will be dumped into human readable 
form in the dumpfile if a third argument is used.)

(**)(Note 2: In this mode the file conversion is a no-op as 
input files = output, but I've needed a raw pcap dumper 
for some time... :-)

It only produces one binary output format: ordinary pcap files.
(and the text human redable dumps)

cheers,
--dr

url: http://dragos.com/logtopcap.c

-- 
dr () dursec com  pgp: http://dragos.com/dr-dursec.asc
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002

Attachment: logtopcap.c
Description:

Previous By Date Next
Previous By Thread Next

Current thread: