Snort mailing list archives
network output strategies (was: Rotating '-b'logs...)
From: Kiira Triea <kiira-t () mail bsasinc org>
Date: Tue, 24 Jul 2001 08:27:01 -0400 (EDT)
Ben Hughes wrote:
On Tue, Jul 24, 2001 at 05:01:47AM -0400, Dave Cinege wrote:How can I resolve this? If I need to do some recoding of snort I can, though KISS is best. (I was thinking maybe sending a signal to the process to pause file writing and buffer util getting another signal to resume writing)I've looked at this as well (albeit in not great depth) have you considered using netpipes (fifo over tcp type thing) dunno how well this would work, simple case, try pig$ mkfifo /tmp/snort pig$ snort -b /tmp/snort pig$ cat /tmp/snort | ssh -e none remote.host cat \>/var/log/snort/machine1 i'll get me coat..
Hmmm... I've been thinking about this too but thought perhaps using perl's IO::Socket modules to write a local client for a UDP connection to the remote server - have snort sensors write to to the local client and then the perl server can catch output and write them to the database/whatever of choice. But that would be reinventing the wheel a bit since there are already the Alert_unixsock and XML output plugins - these are tailored for use as logging options for multiple remote sensors, yes? Are they ready for prime time yet? Anyway if anyone has any feedback on my meandering thoughts I'd like to hear it because I want to write some new code soon. :-) What would really work well for what I need is to be able to have the server (Socket listener/data receiver) output to different sources depending on Alert directives - I want a database of alerts to cover a large timespan for instance, but I want a binary tcpdump to be triggered by an alert which would be linked by a database key to the triggering alert - so that I can trace through a possible intrusion sequence. I know that the "tag" and "session" directives address this... I just haven't gotten around to setting everything up the way I need it. Yikes I better get some coffee. Oh yes, it would also be helpful to have the binary trace begin shortly *before* the Alert is triggered - though this will probably need to wait for either the tachyon_emitter or miss_Cleo preprocessors. Kiira resident NerDGrRl - BSAS Inc. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rotating '-b' logs without stopping snort? (0% data loss...) Dave Cinege (Jul 24)
- Snort 1.8 and Acid Problem Alessandro Fiorenzi (Jul 24)
- Re: Rotating '-b' logs without stopping snort? (0% data loss...) snort-users (Jul 24)
- network output strategies (was: Rotating '-b'logs...) Kiira Triea (Jul 24)
- Re: network output strategies (was: Rotating '-b'logs...) Ben Hughes (Jul 24)
- Re: Rotating '-b' logs without stopping snort? (0% data loss...) Dave Cinege (Jul 24)
- network output strategies (was: Rotating '-b'logs...) Kiira Triea (Jul 24)
- Re: Rotating '-b' logs without stopping snort? (0% data loss...) Pawel Krawczyk (Jul 24)
- Re: Rotating '-b' logs without stopping snort? (0% data loss...) Johannes Grosen (Jul 24)
- Re: Rotating '-b' logs without stopping snort? (0% data loss...) Ramin Alidousti (Jul 24)
- Re: Rotating '-b' logs without stopping snort? (0% data loss...) Chris Keladis (Jul 24)