[Snort-devel] Design change request - accept tcpdump from stdin
Emelander at ...922...
Tue Nov 6 08:26:02 EST 2001
As I understand it, Snort does not accept tcpdump data from stdin, but
requires the use of the "-r" flag to read tcpdumps. Currently, I pull
compressed tcpdumps from my sensors, aggregate them on the analyzing
machine, uncompress them, read them into Snort, and recompress them for
archival purposes. Ideally, I would like to use the Compress:Zlib perl
module to uncompress and compress on the fly while dumping the data into
stdin (much like the fetchem.pl script does on Shadow). This should
significantly reduce the time it takes to read compressed tcpdumps into
Snort. If this is not possible, if anyone has any suggestions for improving
the time it takes for this process, I would love to hear it. Thanks!
More information about the Snort-devel