Hi Joe, can you please show an example of what's the output of the "sflowtool -t" command, which makes snort happy? That can help addressing your question.
Also, do you know which sFlow fields are relevant to snort - this is just in case sfacctd is unable to produce a dump as detailed as sflowtool does? I'm anyway guessing that the only way would be through the "print" plugin and a few sed/awk around it. Cheers, Paolo On Tue, Oct 14, 2008 at 05:17:34PM -0400, Joe Carvalho wrote: > Hello, > I'd like to have sfacctd provide a tcpdump-style output suitable for > feeding into snort. > > I've been doing this, but I'd like to replace sflowtool with sfacctd/ > pmacctd. > % sflowtool -t | snort -Afull -r - -c snort.conf > > tnx. > --joe _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
