[Snort-users] FIFO instead of NIC

waldo kitty wkitty42 at ...14940...
Fri Jun 21 08:42:33 EDT 2013


On 6/21/2013 07:09, Tiaan Wessels wrote:
> Hi,
> I have installed snort on an Ubuntu machine. I have in /etc/snort a file
> with DEBIAN_SNORT_INTERFACE="eth0" in it which results in snort starting at boot
> with -i eth0 in its command-line. However, I want snort to startup on boot to
> read from a fifo e.g. /tmp/eth0.fifo instead. Can someone assist to show how to
> achieve this. I have a router sending all traffic to my Ubuntu machine in TZSP .
> I have a program that strips of TZSP and dumps in pcap format to a fifo
> /tmp/eth0.fifo and I want snort to use this traffic for analysis instead of the
> Ubuntu machine's own eth0. Essentially I want the -i eth0 replaced with -r
> /tmp/eth0.fifo but cannot figure out where in snort's configs to do this.
> Thanks

you don't do it in the config... you find and modify the startup scripts in your 
debian installation... you'll probably find them in /etc/init.d or /etc/rc.d... 
most likely there will be one script linked into other places so be careful that 
you don't break it...

likely you'll just want to find the start up line in that script, copy it to a 
new line, comment out the original (for protection in case of a screwup) and 
edit the new line to change the "-i $DEBIAN_SNORT_INTERFACE" portion to "-r 
/tmp/eth0.fifo"...


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list