[Snort-users] Snort / SnortSnarf question about packet captur e filenames - FIXED

Matt Yackley Matt.Yackley at ...5858...
Wed Jun 26 15:14:03 EDT 2002


Thanks to everyone that responded and helped out!  

Here is what I came up with if you log to *nix, use SnortSnarf, and would
like the ability to move your whole tree over to a Windows platform / CD:

First change the source code to snort:
from Frank Knobbe
"grab the source of Snort and open the file LOG.C. Find the 2nd instance
of WIN32 (I think it's still the 2nd). That IFDEF uses a _ on Windows
machines and a : on all others in the file name of the log file. Just
change the other one to a _ as well, and recompile snort."

Change SnortSnarf:
from Jim Hoagland
"Add this line in snortsnarf.pl immediately before the '&initialize();'
line:

   $out_params{'logfileprototerm'}= '_';"

NOTE: All I had to do was change this line under the unix section, a few
lines up from the '&ini...' line.

The last problem I ran into is that when I tar'ed my directory structure and
extracted it back on my Windows box there was a problem with the packet
capture links (relative versus hard links) that was fixed by burning the
entire thing to the root of a CD, which was my main goal anyway.  This way
I'll be able to put any weeks worth of alerts into any PC fire up the
index.html file and review logs as they were that week.

Thanks everyone!
Matt

-----Original Message-----
From: K. A. Steensma [mailto:keith at ...6181...]
Sent: Wednesday, June 26, 2002 4:29 PM
To: Snort Users Mailing List
Subject: Re: [Snort-users] Snort / SnortSnarf question about packet
capture filenames


I just created a file by the name of 'TCP:123.456.789' and then accessed 
it via a Samba share.  The filename 'in Windows Explorer' shows as 
'TCP12~6_.789'.  Wouldn't this be acceptable?

Matt Yackley wrote:
> Tim, what version of Snort & SnortSnarf are you running?  I'm using
> Snort-1.8.6 and SnortSnarf-020316.1, I have a lot more than two
directories,
> SnortSnarf is breaking everything out to separate directories so I wind up
> with hundreds of directories, thousands of capture files and thousands of
> html alert pages.  How does your Windows box handle the file names like
> TCP:xxxxx-xx, since : is an invalid filename under windows?  If you have
> changed snort to name the capture files to another character what do you
> change in SnortSnarf to create the links to the proper filenames?  I think
I
> must be missing something here, wouldn't be the first time... :)
> 
> I am gzip'ing the files on the Linux box, I can bring them over to my
> Windows box but when I extract everything, it chokes on the capture files
> and does not extract them.
> 
> -----Original Message-----
> From: Slighter, Tim [mailto:tslighter at ...5174...]
> Sent: Wednesday, June 26, 2002 9:59 AM
> To: 'Matt Yackley'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Snort / SnortSnarf question about packet
> captur e filenames
> 
> 
> understood, what I do is tar both of the directories... (the logs and the
> html's) and then ssh them over to the win32 system.  One strange quirk I
> discovered in this process is that you should tar to a gzip, otherwise the
> files are not so friendly in the win32 environment.  Does that help ?
> 
> -----Original Message-----
> From: Matt Yackley [mailto:Matt.Yackley at ...5858...]
> Sent: Wednesday, June 26, 2002 8:21 AM
> To: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Snort / SnortSnarf question about packet
> captur e filenames
> 
> 
> Thanks for the reply, but this isn't quite what I'm looking for, I would
> like to be able to just tar the entire tree, delete the tree and start
fresh
> every week, then take the tar file to a windows machine untar, view and
burn
> on CD as is.  We can then have every week's alerts complete with all of
the
> SnortSnarf pages intact and working.  We can then use these CD's for
> review/research, while keeping the current SnortSnarf reports a little
> cleaner and easier to read.  The problem right now is that the SnortSnarf
> pages don't link to the packet capture files and you have to manually
change
> the URL from a : to a _ to view the packets.  If I leave Snort at the
> default the files can't be read from Windoze boxes due to the ":".
> 
> Matt
> -----Original Message-----
> From: Slighter, Tim [mailto:tslighter at ...5174...]
> Sent: Wednesday, June 26, 2002 8:53 AM
> To: 'Matt Yackley'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Snort / SnortSnarf question about packet
> captur e filenames
> 
> 
> You could consider doing what I have done to facilitate this with ease.  I
> simply locked down ipchains to allow only tcp port 443 traffic from a
single
> host, in addition to this, I installed Apache, mod_ssl and openssl and
> created self-signed CA, server and client certs, configured apache for SSL
> and then designed the entire model for IP restricted access with basic
> authentication and "required" certificates.  That way, I am able to
connect
> up to the site (with the alerts and portscan logs) with 4 levels of
> autentication and authorization.  if you are primarily interested in going
> with downloadable files then setup apache for directory listing instead
> 
> -----Original Message-----
> From: Matt Yackley [mailto:Matt.Yackley at ...5858...]
> Sent: Wednesday, June 26, 2002 7:13 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort / SnortSnarf question about packet capture
> filenames
> 
> 
> Hello all,
> 
> I run Snort & SnortSnarf on a Linux box, but would like the ability to
move
> the data off and be able to read it on a Windows box.  Since Windows can't
> handle filenames like TCP:xxxxx-xxx, I have changed the Snort code to log
> the packet capture files with TCP_xxxxx-xxx.  Now I need to get SnortSnarf
> to create the proper links on the alert details page.  I'm not a
programmer
> or perl scripter by any means, however I did try a couple of changes to
the
> HTMLOutput.pm file, but they did not help.  The one change that I thought
> would have worked was changing 'logfileprototerm' =':' to ='_'.  Any ideas
> on where I need to change SnortSnarf to make this work?
> 
> Thanks,
> Matt Yackley
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber Inc.
> Don't miss the IM event of the season | Special offer for OSDN members! 
> JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber Inc.
> Don't miss the IM event of the season | Special offer for OSDN members! 
> JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber Inc.
> Don't miss the IM event of the season | Special offer for OSDN members! 
> JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list