Snort mailing list archives
RE: snort tcpdump binary file mirroing overnetwork.
From: "Shawn Truax" <Shawn.Truax () mbs gov on ca>
Date: Sat, 25 Oct 2003 05:17:08 -0400
If you took Eric's idea for scp and created a cron job to do the following it might work. 1. Stop Snort 2. scp your files from the /some/dir/for/snort using *.log wildcards 3. then move the file to /some/dir/for/snort/archive 4. Start Snort This way you won't be copying your old files over and over as they will be moved to a different folder. That way they will still be available if you need them. The down side to this is the downtime for snort during the file copy. Problem is you don't want to do the move with just a sig hup or you would move the file that snort is trying to write too. If you knew some Perl or someone who could program something up for you. It shouldn't be too hard to write something that copies just the oldest file in the directory and then moves it, leaving the new one alone. As an aside thanks for the info on the -d switch Erek. I completely forgot about that, I think the GUI interface I am using now has spoiled me :) Shawn
samwun <samwun () hgcbroadband com> 10/24/03 11:26pm >>>
-----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Saturday, October 25, 2003 2:47 AM To: samwun Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort tcpdump binary file mirroing over network. On Fri, 24 Oct 2003, samwun wrote:
I found that when I enabled tcpdump output module, binary file tcpdump.log is stored in the sensor. I would like to mirror a dir or file system which contains tcpdump.log file generated by Snort. I want to keep a copy of this file system (contains binary file tcpdump.log) stored in a remote server as well. I found that verita Volume Manager/Replicator can do mirroring, but it is commercial and I am not sure whether it is suitable for this instance. Any comment and suggestion is very appreciated.
What's wrong with sending Snort a SIGHUP once an hour, and then using something like: scp tcpdump.file otherhost:/some/dir/for/snort/ May bet it works, but I am concerning how many tcpdump.log files I have to copy over to a remote server at the end of a day or week or even months.. I supposed every time when you do a HUP on snort, there will be new tcpdpump.log file generated with different number at the end of the file, eg. tcpdump.log.3984938, while previous tcpdump.log.xxxxx files are still in the directory (/var/log/snort/). Every time when we do a scp, it will end up copying all the previous files over and over again... Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: snort tcpdump binary file mirroing overnetwork. Shawn Truax (Oct 25)
- Re: snort tcpdump binary file mirroing overnetwork. Michael Sierchio (Oct 25)
- <Possible follow-ups>
- RE: snort tcpdump binary file mirroing overnetwork. Donofrio, Lewis (Oct 29)
- RE: snort tcpdump binary file mirroing overnetwork. Keith Long (Oct 29)
- RE: snort tcpdump binary file mirroing overnetwork. samwun (Nov 02)