[Snort-users] help improving time it takes to read compressed tcpdumps

Erik Melander Emelander at ...3910...
Wed Nov 7 09:41:09 EST 2001


As I understand it, Snort does not accept tcpdump data from stdin, but
requires the use of the "-r" flag to read tcpdumps.  Currently, I pull
compressed tcpdumps from my sensors, aggregate them on the analyzing
machine, uncompress them, read them into Snort, and recompress them for
archival purposes.  I would like to use the Compress:Zlib perl module to
uncompress and compress on the fly while dumping the data into stdin (much
like the fetchem.pl script does on Shadow).  This should significantly
reduce the time it takes to read compressed tcpdumps into Snort.  Even
better would be the ability to compile zlib into snort so it can natively
read compressed tcpdumps.  If this is not possible, if anyone has any
suggestions for improving the time it takes for this process, I would love
to hear it.  Thanks!




More information about the Snort-users mailing list