Re: simultaneous snort and tcpdump

[Carl Gibbons <cgibbons () du edu>]

On Thu, 26 Sep 2002, Bennett Todd wrote:

> Perhaps I misunderstood Jason, but I _think_ his suggestion is very
> relevant.
>
> I took him to mean that it might be more efficient to use one snort
> to do the job you're currently doing with snort + tcpdump. Rather
> than running both snort and tcpdump, run just snort, and configure
> the snort to log everything, by creating a rule that logs
> everything. I think the canonical example might be
>
>       log any any any <> any any

Oh, I see.  Sorry for the misunderstanding.  Though, I think pass
rules or other log rules might interfere with this, if I'm not
careful...  Thanks for the explanation.

> If you don't need the alerts in real-time, another approach might be
> to just use either snort or tcpdump as a pure packet capture to save
> everything in a libpcap format file, then as you rotate logs, rotate
> them clean off your capture sniffer to a log archival system, and
> there run snort over them with -r.

Wow, you're astute.  I'm actually also trying to set up a SHADOW
IDS, and you've perfectly described SHADOW's architecture.  I don't
yet have the SHADOW analyzer (you called it a log archival system)
working, and so I'm experimenting with getting snort working on the
SHADOW sensor machine (simultaneously with SHADOW's tcpdump) in the
meantime.  - Carl



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users