Snort mailing list archives
RE: snort tcpdump binary file mirroing overnetwork.
From: Keith Long <keith.long () air2web com>
Date: Wed, 29 Oct 2003 08:07:44 -0500
You would probably want to use ssh keys. Check out http://www.linuxforum.com/forums/index.php?showtopic=1459 ~Keith -----Original Message----- From: Donofrio, Lewis [mailto:donofrio () umich edu] Sent: Wednesday, October 29, 2003 7:17 AM To: Shawn Truax Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] snort tcpdump binary file mirroing overnetwork. How do you feed scp with password to use for the session from an .sh? --besides using expect. ______________________________________________________________________ Lewis Donofrio () umich edu College of Literature, Science, & Arts 1007 East Huron, Room 201, BetaID:243340 Cell: (734) 323-8776 Ann Arbor,MI 48104-1690 www.umich.edu/~donofrio Fax: (734) 647-8333
-----Original Message----- From: Shawn Truax [mailto:Shawn.Truax () mbs gov on ca] Sent: Saturday, October 25, 2003 5:17 AM To: samwun () hgcbroadband com; erek () snort org Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] snort tcpdump binary file mirroing overnetwork. If you took Eric's idea for scp and created a cron job to do the following it might work. 1. Stop Snort 2. scp your files from the /some/dir/for/snort using *.log wildcards 3. then move the file to /some/dir/for/snort/archive 4. Start Snort This way you won't be copying your old files over and over as they will be moved to a different folder. That way they will still be available if you need them. The down side to this is the downtime for snort during the file copy. Problem is you don't want to do the move with just a sig hup or you would move the file that snort is trying to write too. If you knew some Perl or someone who could program something up for you. It shouldn't be too hard to write something that copies just the oldest file in the directory and then moves it, leaving the new one alone. As an aside thanks for the info on the -d switch Erek. I completely forgot about that, I think the GUI interface I am using now has spoiled me :) Shawnsamwun <samwun () hgcbroadband com> 10/24/03 11:26pm >>>-----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Saturday, October 25, 2003 2:47 AM To: samwun Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort tcpdump binary file mirroing over network. On Fri, 24 Oct 2003, samwun wrote:I found that when I enabled tcpdump output module, binary file tcpdump.log is stored in the sensor. I would like to mirrora dir orfile system which contains tcpdump.log file generated bySnort. I wantto keep a copy of this file system (contains binary filetcpdump.log)stored in a remote server as well. I found that verita Volume Manager/Replicator can domirroring, but itis commercial and I am not sure whether it is suitable for this instance. Any comment and suggestion is very appreciated.What's wrong with sending Snort a SIGHUP once an hour, and then using something like: scp tcpdump.file otherhost:/some/dir/for/snort/ May bet it works, but I am concerning how many tcpdump.log files I have to copy over to a remote server at the end of a day or week or even months.. I supposed every time when you do a HUP on snort, there will be new tcpdpump.log file generated with different number at the end of the file, eg. tcpdump.log.3984938, while previous tcpdump.log.xxxxx files are still in the directory (/var/log/snort/). Every time when we do a scp, it will end up copying all the previous files over and over again... Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: snort tcpdump binary file mirroing overnetwork. Shawn Truax (Oct 25)
- Re: snort tcpdump binary file mirroing overnetwork. Michael Sierchio (Oct 25)
- <Possible follow-ups>
- RE: snort tcpdump binary file mirroing overnetwork. Donofrio, Lewis (Oct 29)
- RE: snort tcpdump binary file mirroing overnetwork. Keith Long (Oct 29)
- RE: snort tcpdump binary file mirroing overnetwork. samwun (Nov 02)