[Snort-users] snort tcpdump binary file mirroing overnetwork.

samwun samwun at ...9831...
Sun Nov 2 07:45:19 EST 2003


Actually I found this can be done very easily with C programming
read/write over the socket. I will modify my old code which has
multi-threaded capability at the server side. There is only one problem
with this is that it didn't build in encryption functionality, but this
can be easily accomplished by directing traffic to ssh between server
and client. Server ssh just need to maintain a list of certificates in
order to authenticate with clients.

-----Original Message-----
From: Shawn Truax [mailto:Shawn.Truax at ...8509...] 
Sent: Saturday, October 25, 2003 5:17 PM
To: samwun at ...9831...; erek at ...950...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] snort tcpdump binary file mirroing
overnetwork.

If you took Eric's idea for scp and created a cron job to do the
following it might work.

1. Stop Snort
2. scp your files from the /some/dir/for/snort using *.log wildcards
3. then move the file to /some/dir/for/snort/archive
4. Start Snort

This way you won't be copying your old files over and over as they will
be moved to a different folder.  That way they will still be available
if you need them.  The down side to this is the downtime for snort
during the file copy.  Problem is you don't want to do the move with
just a sig hup or you would move the file that snort is trying to write
too.  If you knew some Perl or someone who could program something up
for you.  It shouldn't be too hard to write something that copies just
the oldest file in the directory and then moves it, leaving the new one
alone.

As an aside thanks for the info on the -d switch Erek.  I completely
forgot about that, I think the GUI interface I am using now has spoiled
me :)

Shawn



>>> samwun <samwun at ...9831...> 10/24/03 11:26pm >>>


-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Saturday, October 25, 2003 2:47 AM
To: samwun
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort tcpdump binary file mirroing over
network.

On Fri, 24 Oct 2003, samwun wrote:

> I found that when I enabled tcpdump output module, binary file
> tcpdump.log is stored in the sensor. I would like to mirror a dir or
> file system which contains tcpdump.log file generated by Snort. I want
> to keep a copy of this file system (contains binary file tcpdump.log)
> stored in a remote server as well.
>
> I found that verita Volume Manager/Replicator can do mirroring, but it
> is commercial and I am not sure whether it is suitable for this
> instance.
>
> Any comment and suggestion is very appreciated.

What's wrong with sending Snort a SIGHUP once an hour, and then using
something like:

    scp tcpdump.file otherhost:/some/dir/for/snort/

May bet it works, but I am concerning how many tcpdump.log files I have
to copy over to a remote server at the end of a day or week or even
months..
I supposed every time when you do a HUP on snort, there will be new
tcpdpump.log file generated with different number at the end of the
file, eg. tcpdump.log.3984938, while previous tcpdump.log.xxxxx files
are still in the directory (/var/log/snort/). Every time when we do a
scp, it will end up copying all the previous files over and over
again...


Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list