[Snort-users] FIFO instead of NIC
wkitty42 at ...14940...
Fri Jun 21 08:42:33 EDT 2013
On 6/21/2013 07:09, Tiaan Wessels wrote:
> I have installed snort on an Ubuntu machine. I have in /etc/snort a file
> with DEBIAN_SNORT_INTERFACE="eth0" in it which results in snort starting at boot
> with -i eth0 in its command-line. However, I want snort to startup on boot to
> read from a fifo e.g. /tmp/eth0.fifo instead. Can someone assist to show how to
> achieve this. I have a router sending all traffic to my Ubuntu machine in TZSP .
> I have a program that strips of TZSP and dumps in pcap format to a fifo
> /tmp/eth0.fifo and I want snort to use this traffic for analysis instead of the
> Ubuntu machine's own eth0. Essentially I want the -i eth0 replaced with -r
> /tmp/eth0.fifo but cannot figure out where in snort's configs to do this.
you don't do it in the config... you find and modify the startup scripts in your
debian installation... you'll probably find them in /etc/init.d or /etc/rc.d...
most likely there will be one script linked into other places so be careful that
you don't break it...
likely you'll just want to find the start up line in that script, copy it to a
new line, comment out the original (for protection in case of a screwup) and
edit the new line to change the "-i $DEBIAN_SNORT_INTERFACE" portion to "-r
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users