[Snort-users] FIFO instead of NIC

Tiaan Wessels tiaanwessels at ...11827...
Fri Jun 21 07:09:18 EDT 2013


Hi,
I have installed snort on an Ubuntu machine. I have in /etc/snort a file
with DEBIAN_SNORT_INTERFACE="eth0" in it which results in snort starting at
boot with -i eth0 in its command-line. However, I want snort to startup on
boot to read from a fifo e.g. /tmp/eth0.fifo instead. Can someone assist to
show how to achieve this. I have a router sending all traffic to my Ubuntu
machine in TZSP . I have a program that strips of TZSP and dumps in pcap
format to a fifo /tmp/eth0.fifo and I want snort to use this traffic for
analysis instead of the Ubuntu machine's own eth0. Essentially I want the
-i eth0 replaced with -r /tmp/eth0.fifo but cannot figure out where in
snort's configs to do this.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130621/221e118f/attachment.html>


More information about the Snort-users mailing list