[Snort-users] tcpdump script

Joel Esler eslerj at ...11827...
Tue Apr 7 19:46:50 EDT 2009


Excellent point.  Same thing, just with Daemonlogger.  Excellent.

On Tue, Apr 7, 2009 at 7:28 PM, Jason Brvenik <jasonb at ...1935...> wrote:
> You might want to check out daemonlogger instead. It is more
> specifically designed for that purpose.
>
> http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
>
> On Tue, Apr 7, 2009 at 7:07 PM, Jefferson, Shawn
> <Shawn.Jefferson at ...14448...> wrote:
>> Hi,
>>
>> I wanted to run tcpdump to capture all traffic on my snort sensor, so that
>> if I want to go take a look at traffic based on snort alerts I could get
>> more context.  I’ve setup a couple of scripts to gzip the packet captures
>> and send them to a storage server.  My question is about starting tcpdump
>> itself.  I tried doing it in the same script that starts snort and barnyard,
>> but this didn’t seem to work and I think it’s due to the fact that tcpdump
>> needs to be run as root (?).
>>
>> So, I’ve created a root cron job that runs every five minutes will start
>> tcpdump if it finds it not running (using “pidof tcpdump”).
>>
>> Not being a linux guru, is this the right way to approach this problem?
>>
>> Thanks,
>> Shawn
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974




More information about the Snort-users mailing list