Snort mailing list archives
Re: Snort read a incremental file
From: Paul Li <paul () scybersecurity com>
Date: Mon, 30 Jan 2017 14:39:18 -0500
Looking for a way that Snort monitors multiple servers but don't want to install sensors on these servers. So try to use tcpdump sniffing the network on these servers and send the data to a central server where Snort is deployed. First thought is to write file(I.e. as Felix advice using named pipe) but realize it works for monitoring one server, but may not multiple servers.... is there a possible way do that? How about set up a virtual network interfac on the snort server and let tcpdump write data from those targeting servers to that remote virtual interface on the snort server? Thanks, Paul On Monday, January 30, 2017, Joel Esler (jesler) <jesler () cisco com> wrote:
Is there a particular reason that you are doing it this way, or can you just read directly from the network interface? *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com <javascript:_e(%7B%7D,'cvml','jesler () cisco com');> On Jan 30, 2017, at 10:42 AM, Paul Li <paul () scybersecurity com <javascript:_e(%7B%7D,'cvml','paul () scybersecurity com');>> wrote: Thanks Felix. That works well for my issue. Much appreciated. A follow up question: if I have a multiple pipes like this one, would there be any order how snort reads them? Thanks, Paul On Saturday, January 28, 2017, Felix Erlacher <felix.erlacher () uibk ac at <javascript:_e(%7B%7D,'cvml','felix.erlacher () uibk ac at');>> wrote:Hi Paul, On a decent OS you can write pcap data to a named pipe and make snort read form that named pipe. That might be a solution in your case. Example on Debian: #mkfifo mypipe than make your program write data to that file, and with snort simply #snort -c snort.conf -r ./mypipe greets felix On 28/01/17 14:52, Paul Li wrote:I've got a pcap file that keep adding new network data. I know Snort can read a file, but is there a way Snort can read the continuously added data to the file? Thanks, Paul ------------------------------------------------------------------------------Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!-- Felix Erlacher ccs-labs.org/~erlacher Key-ID:4EAC0959 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot______ _________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <javascript:_e(%7B%7D,'cvml','Snort-users () lists sourceforge net');> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort read a incremental file Paul Li (Jan 28)
- <Possible follow-ups>
- Fwd: Re: Snort read a incremental file Felix Erlacher (Jan 28)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Joel Esler (jesler) (Jan 30)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Alberto Colosi (Jan 30)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Felix Erlacher (Jan 30)