[Snort-users] simultaneous snort and tcpdump

Carl Gibbons cgibbons at ...6953...
Thu Sep 26 16:21:03 EDT 2002


On Thu, 26 Sep 2002, Bennett Todd wrote:

> Perhaps I misunderstood Jason, but I _think_ his suggestion is very
> relevant.
>
> I took him to mean that it might be more efficient to use one snort
> to do the job you're currently doing with snort + tcpdump. Rather
> than running both snort and tcpdump, run just snort, and configure
> the snort to log everything, by creating a rule that logs
> everything. I think the canonical example might be
>
> 	log any any any <> any any

Oh, I see.  Sorry for the misunderstanding.  Though, I think pass
rules or other log rules might interfere with this, if I'm not
careful...  Thanks for the explanation.

> If you don't need the alerts in real-time, another approach might be
> to just use either snort or tcpdump as a pure packet capture to save
> everything in a libpcap format file, then as you rotate logs, rotate
> them clean off your capture sniffer to a log archival system, and
> there run snort over them with -r.

Wow, you're astute.  I'm actually also trying to set up a SHADOW
IDS, and you've perfectly described SHADOW's architecture.  I don't
yet have the SHADOW analyzer (you called it a log archival system)
working, and so I'm experimenting with getting snort working on the
SHADOW sensor machine (simultaneously with SHADOW's tcpdump) in the
meantime.  - Carl





More information about the Snort-users mailing list