[Snort-users] Tapping into the ring buffer

Joe Patterson jpatterson at ...12705...
Mon Aug 22 13:22:09 EDT 2005


I recall thinking something very similar once.  My solution was to write a
little program that was much like a stripped-down version of tcpdump
combined with tee.  It would basically read from one pcap buffer and write
to N output files, and stdout. (I also gave it the nice feature that, on a
HUP, it would stat its output files, and for each one that didn't exist, it
would close and re-open it).  So, in the end, I had snort running ( |
snort -r -) and dealing with things in real-time, and then another process
that would rotate my output files (with that HUP) and do post-processing
with whatever else I needed to use.

It *seemed* to work fairly efficiently.

-Joe

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of sekure
> Sent: Monday, August 22, 2005 9:16 AM
> To: Harry Hoffman
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Tapping into the ring buffer
>
>
> I was thinking of that, but ideally i was looking for something
> simpler.  Besides, depending on the speed of your processor vs. the
> load of the network snort might quit when it finishes processing the
> last packet in the file, which could happen before tcpdump captures
> its 500 Megs worth and rotates the files.
>
> I guess I was thinking that this ring buffer has to exist somewhere in
> memory, It would be nice if other applications could read it too, in
> realtime.
>
> Thanks,
>
> On 8/19/05, Harry Hoffman <hhoffman at ...10275...> wrote:
> > Hi Sekure,
> >
> > Will something like this work for you:
> >
> > PCAP_FRAMES=32000 /usr/sbin/tcpdump -i eth0 -C 500 -w pcap.dmp
> > and then
> >
> > snort -r pcap.dmp -c /etc/snort/snort.conf
> > you'd need a loop for the snort bit but that should be pretty
> > straightforward.
> >
> > I believe that the apps are independent of each other, which is why you
> > can run a host based firewall and still have snort grab all of the
> > packets (someone please correct me if I'm wrong).
> >
> > Also, you set the interface into promisc mode. The first application
> > that does so allows any other application to not need to set promisc
> > (again please correct me if I'm wrong).
> >
> >
> > HTH,
> > Harry
> >
> > sekure wrote:
> > > Snorters,
> > >
> > > I am running snort compiled against Phil Woods modified libpcap
> > > library and I was thinking if it was possible to tap into the buffer
> > > that it creates with other applications without having to recapture
> > > the packets off the wire if i wanted to run some additional
> > > statistical or gathering tools on them.  For example, if i run snort
> > > and tcpdump side by side, on the same interface, are they both
> > > grabbing packets, and is this introducing any sort of latency?  Could
> > > I for example run snort and ntop and PADS (passive.sourceforge.net)
> > > side by side on the same interface without introducing any more
> > > slowdown (other than what is caused by processing within the
> > > individual application).
> > >
> > > Does anyone know how much impact, if any, is introduced by running
> > > additional promiscious mode applications, specifically due to
> > > sniffing, or if there is any interaction at all?
> > >
> > > I am not 100% clear about what happens deep in the guts of the OS, so
> > > i need someone to set me straight.
> > >
> > > Thanks in advance.
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > > September 19-22, 2005 * San Francisco, CA * Development
> Lifecycle Practices
> > > Agile & Plan-Driven Development * Managing Projects & Teams *
> Testing & QA
> > > Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
>


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






More information about the Snort-users mailing list