Snort mailing list archives

RE: snort tcpdump binary file mirroing overnetwork.

From: "Shawn Truax" <Shawn.Truax () mbs gov on ca>
Date: Sat, 25 Oct 2003 05:17:08 -0400

If you took Eric's idea for scp and created a cron job to do the following it might work.

1. Stop Snort
2. scp your files from the /some/dir/for/snort using *.log wildcards
3. then move the file to /some/dir/for/snort/archive
4. Start Snort

This way you won't be copying your old files over and over as they will be moved to a different folder.  That way they 
will still be available if you need them.  The down side to this is the downtime for snort during the file copy.  
Problem is you don't want to do the move with just a sig hup or you would move the file that snort is trying to write 
too.  If you knew some Perl or someone who could program something up for you.  It shouldn't be too hard to write 
something that copies just the oldest file in the directory and then moves it, leaving the new one alone.

As an aside thanks for the info on the -d switch Erek.  I completely forgot about that, I think the GUI interface I am 
using now has spoiled me :)

Shawn

samwun <samwun () hgcbroadband com> 10/24/03 11:26pm >>>



-----Original Message-----
From: Erek Adams [mailto:erek () snort org] 
Sent: Saturday, October 25, 2003 2:47 AM
To: samwun
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort tcpdump binary file mirroing over
network.

On Fri, 24 Oct 2003, samwun wrote:

I found that when I enabled tcpdump output module, binary file
tcpdump.log is stored in the sensor. I would like to mirror a dir or
file system which contains tcpdump.log file generated by Snort. I want
to keep a copy of this file system (contains binary file tcpdump.log)
stored in a remote server as well.

I found that verita Volume Manager/Replicator can do mirroring, but it
is commercial and I am not sure whether it is suitable for this
instance.

Any comment and suggestion is very appreciated.


What's wrong with sending Snort a SIGHUP once an hour, and then using
something like:

    scp tcpdump.file otherhost:/some/dir/for/snort/

May bet it works, but I am concerning how many tcpdump.log files I have
to copy over to a remote server at the end of a day or week or even
months..
I supposed every time when you do a HUP on snort, there will be new
tcpdpump.log file generated with different number at the end of the
file, eg. tcpdump.log.3984938, while previous tcpdump.log.xxxxx files
are still in the directory (/var/log/snort/). Every time when we do a
scp, it will end up copying all the previous files over and over
again...


Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: snort tcpdump binary file mirroing overnetwork. Shawn Truax (Oct 25)
- Re: snort tcpdump binary file mirroing overnetwork. Michael Sierchio (Oct 25)
- <Possible follow-ups>
- RE: snort tcpdump binary file mirroing overnetwork. Donofrio, Lewis (Oct 29)
- RE: snort tcpdump binary file mirroing overnetwork. Keith Long (Oct 29)
- RE: snort tcpdump binary file mirroing overnetwork. samwun (Nov 02)