[Snort-users] same tcpdump.log to remote log server instead of local sensor

Frank Knobbe frank at ...9761...
Wed Jan 28 01:43:28 EST 2004


On Tue, 2004-01-27 at 23:14, samwun wrote:
> The snort sensor save tcpdump.log files to local sensor directory. As
> tcpdump.log files that generated by snort contains payload information
> for in-depth analysis, it is best for snort generate these tcpdump.log
> files to a remote syslog server in near real-time mode. 

Full ASCII dump or full packet dump into a database happens in real-time
mode and is useful for in-depth analysis. I'm not sure why you need
tcpdump format in particular. (I get emails and IRC notifications every
couple minutes, emails with full ASCII dump).

However, the question:
> Does anyone know how to generate these tcpdump.log files from snort in
> a remote server in the near real-time mode? 
can be answered with "not yet". I'm planning to write a modification to
Snort that allows remote transfers of data for output through any output
plugin, including tcpdump. (I started planning last year Feb but had to
shelve the project due to time constraints. I should be able to pick up
on it later this spring). Stay tuned to snort-users for an announcement
later this year.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040128/7a06d26e/attachment.sig>


More information about the Snort-users mailing list