[Snort-users] Snort / SnortSnarf question about packet captur e filenames

Matt Yackley Matt.Yackley at ...5858...
Wed Jun 26 08:17:05 EDT 2002


Tim, what version of Snort & SnortSnarf are you running?  I'm using
Snort-1.8.6 and SnortSnarf-020316.1, I have a lot more than two directories,
SnortSnarf is breaking everything out to separate directories so I wind up
with hundreds of directories, thousands of capture files and thousands of
html alert pages.  How does your Windows box handle the file names like
TCP:xxxxx-xx, since : is an invalid filename under windows?  If you have
changed snort to name the capture files to another character what do you
change in SnortSnarf to create the links to the proper filenames?  I think I
must be missing something here, wouldn't be the first time... :)

I am gzip'ing the files on the Linux box, I can bring them over to my
Windows box but when I extract everything, it chokes on the capture files
and does not extract them.

-----Original Message-----
From: Slighter, Tim [mailto:tslighter at ...5174...]
Sent: Wednesday, June 26, 2002 9:59 AM
To: 'Matt Yackley'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort / SnortSnarf question about packet
captur e filenames


understood, what I do is tar both of the directories... (the logs and the
html's) and then ssh them over to the win32 system.  One strange quirk I
discovered in this process is that you should tar to a gzip, otherwise the
files are not so friendly in the win32 environment.  Does that help ?

-----Original Message-----
From: Matt Yackley [mailto:Matt.Yackley at ...5858...]
Sent: Wednesday, June 26, 2002 8:21 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort / SnortSnarf question about packet
captur e filenames


Thanks for the reply, but this isn't quite what I'm looking for, I would
like to be able to just tar the entire tree, delete the tree and start fresh
every week, then take the tar file to a windows machine untar, view and burn
on CD as is.  We can then have every week's alerts complete with all of the
SnortSnarf pages intact and working.  We can then use these CD's for
review/research, while keeping the current SnortSnarf reports a little
cleaner and easier to read.  The problem right now is that the SnortSnarf
pages don't link to the packet capture files and you have to manually change
the URL from a : to a _ to view the packets.  If I leave Snort at the
default the files can't be read from Windoze boxes due to the ":".

Matt
-----Original Message-----
From: Slighter, Tim [mailto:tslighter at ...5174...]
Sent: Wednesday, June 26, 2002 8:53 AM
To: 'Matt Yackley'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort / SnortSnarf question about packet
captur e filenames


You could consider doing what I have done to facilitate this with ease.  I
simply locked down ipchains to allow only tcp port 443 traffic from a single
host, in addition to this, I installed Apache, mod_ssl and openssl and
created self-signed CA, server and client certs, configured apache for SSL
and then designed the entire model for IP restricted access with basic
authentication and "required" certificates.  That way, I am able to connect
up to the site (with the alerts and portscan logs) with 4 levels of
autentication and authorization.  if you are primarily interested in going
with downloadable files then setup apache for directory listing instead

-----Original Message-----
From: Matt Yackley [mailto:Matt.Yackley at ...5858...]
Sent: Wednesday, June 26, 2002 7:13 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort / SnortSnarf question about packet capture
filenames


Hello all,

I run Snort & SnortSnarf on a Linux box, but would like the ability to move
the data off and be able to read it on a Windows box.  Since Windows can't
handle filenames like TCP:xxxxx-xxx, I have changed the Snort code to log
the packet capture files with TCP_xxxxx-xxx.  Now I need to get SnortSnarf
to create the proper links on the alert details page.  I'm not a programmer
or perl scripter by any means, however I did try a couple of changes to the
HTMLOutput.pm file, but they did not help.  The one change that I thought
would have worked was changing 'logfileprototerm' =':' to ='_'.  Any ideas
on where I need to change SnortSnarf to make this work?

Thanks,
Matt Yackley



-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list