Re: tcpdump script

["Nathaniel Richmond" <nate+snort () richmond-family org>]

Jefferson, Shawn wrote:
> Hi,
>
> I wanted to run tcpdump to capture all traffic on my snort sensor,
> so that if I want to go take a look at traffic based on snort alerts
> I could get more context.  I've setup a couple of scripts to gzip
> the packet captures and send them to a storage server.  My question
> is about starting tcpdump itself.  I tried doing it in the same
> script that starts snort and barnyard, but this didn't seem to work
> and I think it's due to the fact that tcpdump needs to be run as
> root (?).
>
> So, I've created a root cron job that runs every five minutes will
> start tcpdump if it finds it not running (using "pidof tcpdump").

Have you looked at Sguil since it is designed with full packet
capture in mind?

It includes scripts that support either Snort in packet logging mode
or daemonlogger (recommended) to capture traffic. You use cron to
check partition usage and remove the old pcaps at whatever interval
is appropriate.

Sguil is designed to leave the pcaps on the sensor(s) and only
retrieve the traffic that you want to look at. You use either an
alert or session data as a starting point to tell Sguil what pcaps
you want to retrieve and view either in ASCII or with a tool like
Wireshark.

www.sguil.net
http://nsmwiki.org/Sguil

> Not being a linux guru, is this the right way to approach this
> problem?
>
> Thanks,
> Shawn
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users