Snort mailing list archives
Re: tcpdump script
From: "Nathaniel Richmond" <nate+snort () richmond-family org>
Date: Tue, 7 Apr 2009 20:25:45 -0400 (EDT)
Jefferson, Shawn wrote:
Hi, I wanted to run tcpdump to capture all traffic on my snort sensor, so that if I want to go take a look at traffic based on snort alerts I could get more context. I've setup a couple of scripts to gzip the packet captures and send them to a storage server. My question is about starting tcpdump itself. I tried doing it in the same script that starts snort and barnyard, but this didn't seem to work and I think it's due to the fact that tcpdump needs to be run as root (?). So, I've created a root cron job that runs every five minutes will start tcpdump if it finds it not running (using "pidof tcpdump").
Have you looked at Sguil since it is designed with full packet capture in mind? It includes scripts that support either Snort in packet logging mode or daemonlogger (recommended) to capture traffic. You use cron to check partition usage and remove the old pcaps at whatever interval is appropriate. Sguil is designed to leave the pcaps on the sensor(s) and only retrieve the traffic that you want to look at. You use either an alert or session data as a starting point to tell Sguil what pcaps you want to retrieve and view either in ASCII or with a tool like Wireshark. www.sguil.net http://nsmwiki.org/Sguil
Not being a linux guru, is this the right way to approach this problem? Thanks, Shawn ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump script Jefferson, Shawn (Apr 07)
- Re: tcpdump script Joel Esler (Apr 07)
- Re: tcpdump script Jason Brvenik (Apr 07)
- Re: tcpdump script Joel Esler (Apr 07)
- Re: tcpdump script Bamm Visscher (Apr 07)
- <Possible follow-ups>
- Re: tcpdump script Nathaniel Richmond (Apr 07)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jack Pepper (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jason Brvenik (Apr 08)
- Re: tcpdump script Leon Ward (Apr 09)
- Re: tcpdump script John Hally (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Nathaniel Richmond (Apr 08)
- Re: tcpdump script Nigel Houghton (Apr 08)
- Message not available
- Re: tcpdump script Nathaniel Richmond (Apr 08)
- Re: tcpdump script Will Metcalf (Apr 08)