Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort read a incremental file

From: Paul Li <paul () scybersecurity com>
Date: Mon, 30 Jan 2017 14:39:18 -0500
Looking for a way that Snort monitors multiple servers but don't want to
install sensors on these servers. So try to use tcpdump sniffing  the
network on these servers and send the data to a central server where Snort
is deployed. First thought is to write file(I.e. as Felix advice using
named pipe) but realize it works for monitoring one server, but may not
multiple servers.... is there a possible way do that? How about set up a
virtual network interfac on the snort server and let tcpdump write data
from those targeting servers to that remote virtual interface on the snort
server?

Thanks,
Paul

On Monday, January 30, 2017, Joel Esler (jesler) <jesler () cisco com> wrote:


Is there a particular reason that you are doing it this way, or can you
just read directly from the network interface?

*--*
*Joel Esler *| *Talos:* Manager | jesler () cisco com
<javascript:_e(%7B%7D,'cvml','jesler () cisco com');>






On Jan 30, 2017, at 10:42 AM, Paul Li <paul () scybersecurity com
<javascript:_e(%7B%7D,'cvml','paul () scybersecurity com');>> wrote:

Thanks Felix. That works well for my issue. Much appreciated.

A follow up question: if I have a multiple pipes like this one, would
there be any order how snort reads them?

Thanks,
Paul

On Saturday, January 28, 2017, Felix Erlacher <felix.erlacher () uibk ac at
<javascript:_e(%7B%7D,'cvml','felix.erlacher () uibk ac at');>> wrote:


Hi Paul,

On a decent OS you can write pcap data to a named pipe and make snort
read form that named pipe. That might be a solution in your case.

Example on Debian:
#mkfifo mypipe
than make your program write data to that file, and with snort simply
#snort -c snort.conf -r ./mypipe

greets

felix

On 28/01/17 14:52, Paul Li wrote:

I've got a pcap file that keep adding new network data. I know Snort can
read a file, but is there a way Snort can read the continuously added
data to the file?

Thanks,
Paul


------------------------------------------------------------

------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!




--
Felix Erlacher
ccs-labs.org/~erlacher

Key-ID:4EAC0959



------------------------------------------------------------

------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
_________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
<javascript:_e(%7B%7D,'cvml','Snort-users () lists sourceforge net');>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: