[Snort-users] tcpdump script

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Apr 7 19:07:30 EDT 2009


I wanted to run tcpdump to capture all traffic on my snort sensor, so that if I want to go take a look at traffic based on snort alerts I could get more context.  I've setup a couple of scripts to gzip the packet captures and send them to a storage server.  My question is about starting tcpdump itself.  I tried doing it in the same script that starts snort and barnyard, but this didn't seem to work and I think it's due to the fact that tcpdump needs to be run as root (?).

So, I've created a root cron job that runs every five minutes will start tcpdump if it finds it not running (using "pidof tcpdump").

Not being a linux guru, is this the right way to approach this problem?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090407/1dee65e7/attachment.html>

More information about the Snort-users mailing list