Snort mailing list archives

RE: snort tcpdump binary file mirroing overnetwork.

From: "samwun" <samwun () hgcbroadband com>
Date: Sun, 2 Nov 2003 23:46:36 +0800

Actually I found this can be done very easily with C programming
read/write over the socket. I will modify my old code which has
multi-threaded capability at the server side. There is only one problem
with this is that it didn't build in encryption functionality, but this
can be easily accomplished by directing traffic to ssh between server
and client. Server ssh just need to maintain a list of certificates in
order to authenticate with clients.

-----Original Message-----
From: Shawn Truax [mailto:Shawn.Truax () mbs gov on ca] 
Sent: Saturday, October 25, 2003 5:17 PM
To: samwun () hgcbroadband com; erek () snort org
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] snort tcpdump binary file mirroing
overnetwork.

If you took Eric's idea for scp and created a cron job to do the
following it might work.

1. Stop Snort
2. scp your files from the /some/dir/for/snort using *.log wildcards
3. then move the file to /some/dir/for/snort/archive
4. Start Snort

This way you won't be copying your old files over and over as they will
be moved to a different folder.  That way they will still be available
if you need them.  The down side to this is the downtime for snort
during the file copy.  Problem is you don't want to do the move with
just a sig hup or you would move the file that snort is trying to write
too.  If you knew some Perl or someone who could program something up
for you.  It shouldn't be too hard to write something that copies just
the oldest file in the directory and then moves it, leaving the new one
alone.

As an aside thanks for the info on the -d switch Erek.  I completely
forgot about that, I think the GUI interface I am using now has spoiled
me :)

Shawn

samwun <samwun () hgcbroadband com> 10/24/03 11:26pm >>>



-----Original Message-----
From: Erek Adams [mailto:erek () snort org] 
Sent: Saturday, October 25, 2003 2:47 AM
To: samwun
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort tcpdump binary file mirroing over
network.

On Fri, 24 Oct 2003, samwun wrote:

I found that when I enabled tcpdump output module, binary file
tcpdump.log is stored in the sensor. I would like to mirror a dir or
file system which contains tcpdump.log file generated by Snort. I want
to keep a copy of this file system (contains binary file tcpdump.log)
stored in a remote server as well.

I found that verita Volume Manager/Replicator can do mirroring, but it
is commercial and I am not sure whether it is suitable for this
instance.

Any comment and suggestion is very appreciated.


What's wrong with sending Snort a SIGHUP once an hour, and then using
something like:

    scp tcpdump.file otherhost:/some/dir/for/snort/

May bet it works, but I am concerning how many tcpdump.log files I have
to copy over to a remote server at the end of a day or week or even
months..
I supposed every time when you do a HUP on snort, there will be new
tcpdpump.log file generated with different number at the end of the
file, eg. tcpdump.log.3984938, while previous tcpdump.log.xxxxx files
are still in the directory (/var/log/snort/). Every time when we do a
scp, it will end up copying all the previous files over and over
again...


Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: snort tcpdump binary file mirroing overnetwork. Shawn Truax (Oct 25)
- Re: snort tcpdump binary file mirroing overnetwork. Michael Sierchio (Oct 25)
- <Possible follow-ups>
- RE: snort tcpdump binary file mirroing overnetwork. Donofrio, Lewis (Oct 29)
- RE: snort tcpdump binary file mirroing overnetwork. Keith Long (Oct 29)
- RE: snort tcpdump binary file mirroing overnetwork. samwun (Nov 02)