[Snort-users] Re: a question

Phil Wood cpw at ...440...
Mon Feb 11 17:02:35 EST 2002


On Mon, Feb 11, 2002 at 02:32:17PM -0600, Coming at Ya Straight outta Humboldt Park wrote:

> I saw your recent post about snort core-dumping, and I was wondering if it
> would be possible to get a copy of the script your are utilizing to
> restart snort/and prevent looped processes.  

I'll try and find some time to get them together.  The problem is that
they are specific to a snort loaded with a libpcap which I've modified
(Linux only) to timeout when the packet time has exceeded the specified
timeout (julian seconds) time.  That and a 32768 shared memory ring buffer
make for relatively good packet capture.  (I'm sure it's not as good
ad BSD ^%)

Essentialy there are just two shell scripts, the first is a while loop,
and the second starts up snort.  I've come up with my own file
naming scheme.  Example:

Datafile       548267 Feb 11 17:47 /log/all/bb20020211.1735  <- -b option
Datafile        14636 Feb 11 17:46 /log/all/bb20020211.1735.scan <- from 
                                                                    portscan
I modified the portscan preprocessor to only generate entries in the.scan
file.  They look like this:

Feb 11 17:35:34 129.70.11.232:20 -> 192.16.3.161:2015 SYN ******S*

and are not amenable to ACID which I sometimes use, but have lately decided
to accomplish with a post process of the pcap file (-b).

where bb is an extension that makes this instance unique, and the remainder
should be obvious.

Also, in the outer loop, if the duration of a run (endtime-starttime from
the date program (date '+%s'), I quit and phone home.  %^)

PS: Do you happen to live in the California redwoods, and go surfing in
the Pacific Ocean, when not snorting [in the more mundane sense of the
word]?

> 
> best regards,
> /dn
> 
> *****************************************************************
> One person's paranoia is another person's engineering redundancy.
> 
> 					- Marcus J. Ranum
> *****************************************************************
> http://www.pyro.net/~daniel/key.htm
> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list