tcpflow will take a snort log file and based on command line parameters get you different "flows" from it. So if you were downloading a file from an ftp site, you could give the proper parameters to dump that flow and it should be the actual file.
http://www.circlemud.org/~jelson/software/tcpflow/
For some of the attacks in the data the packets are fragmented and I need them to be sequentially ordered so that my classifer isn't beaten. For example, an attack could be an old apache denial of service attack where massive amounts of forward or blacklashes are sent to the server. Looking at the tcpdump files with ethereal the packets for this attack are obviously spread out so I need to recombine them, hope that makes sense.
I've taken I look at tcpflow but I don't think it likes large tcpdump files.
Thanks for the help.
Last edited by [[Merlin]] on Fri Jan 20, 2006 3:12 pm; edited 1 time in total
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum