[Snort-users] tcpdump script

Bamm Visscher bamm.visscher at ...11827...
Tue Apr 7 20:10:16 EDT 2009


http://nsmwiki.org/Packet_Logging_in_Sguil

I use daemontools  instead of Snort for packet logging.
log_packets.sh is a simple shell script that manages daemontools out
of root's cron. I like to keep two weeks of pcap stored in directories
based on date. WIth the timestamp appended to the filename, finding
the packets associated with a particular flow is "simple".

Bamm


On Tue, Apr 7, 2009 at 5:07 PM, Jefferson, Shawn
<Shawn.Jefferson at ...14448...> wrote:
> Hi,
>
> I wanted to run tcpdump to capture all traffic on my snort sensor, so that
> if I want to go take a look at traffic based on snort alerts I could get
> more context.  I’ve setup a couple of scripts to gzip the packet captures
> and send them to a storage server.  My question is about starting tcpdump
> itself.  I tried doing it in the same script that starts snort and barnyard,
> but this didn’t seem to work and I think it’s due to the fact that tcpdump
> needs to be run as root (?).
>
> So, I’ve created a root cron job that runs every five minutes will start
> tcpdump if it finds it not running (using “pidof tcpdump”).
>
> Not being a linux guru, is this the right way to approach this problem?
>
> Thanks,
> Shawn
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list