[Snort-users] tcpdump script
Shawn.Jefferson at ...14448...
Tue Apr 7 19:07:30 EDT 2009
I wanted to run tcpdump to capture all traffic on my snort sensor, so that if I want to go take a look at traffic based on snort alerts I could get more context. I've setup a couple of scripts to gzip the packet captures and send them to a storage server. My question is about starting tcpdump itself. I tried doing it in the same script that starts snort and barnyard, but this didn't seem to work and I think it's due to the fact that tcpdump needs to be run as root (?).
So, I've created a root cron job that runs every five minutes will start tcpdump if it finds it not running (using "pidof tcpdump").
Not being a linux guru, is this the right way to approach this problem?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users