[Snort-users] Snort read a incremental file

Paul Li paul at ...17768...
Mon Jan 30 14:39:18 EST 2017


Looking for a way that Snort monitors multiple servers but don't want to
install sensors on these servers. So try to use tcpdump sniffing  the
network on these servers and send the data to a central server where Snort
is deployed. First thought is to write file(I.e. as Felix advice using
named pipe) but realize it works for monitoring one server, but may not
multiple servers.... is there a possible way do that? How about set up a
virtual network interfac on the snort server and let tcpdump write data
from those targeting servers to that remote virtual interface on the snort
server?

Thanks,
Paul

On Monday, January 30, 2017, Joel Esler (jesler) <jesler at ...589...> wrote:

> Is there a particular reason that you are doing it this way, or can you
> just read directly from the network interface?
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at ...589...
> <javascript:_e(%7B%7D,'cvml','jesler at ...589...');>
>
>
>
>
>
>
> On Jan 30, 2017, at 10:42 AM, Paul Li <paul at ...17768...
> <javascript:_e(%7B%7D,'cvml','paul at ...17768...');>> wrote:
>
> Thanks Felix. That works well for my issue. Much appreciated.
>
> A follow up question: if I have a multiple pipes like this one, would
> there be any order how snort reads them?
>
> Thanks,
> Paul
>
> On Saturday, January 28, 2017, Felix Erlacher <felix.erlacher at ...17726...
> <javascript:_e(%7B%7D,'cvml','felix.erlacher at ...17726...');>> wrote:
>
>> Hi Paul,
>>
>> On a decent OS you can write pcap data to a named pipe and make snort
>> read form that named pipe. That might be a solution in your case.
>>
>> Example on Debian:
>> #mkfifo mypipe
>> than make your program write data to that file, and with snort simply
>> #snort -c snort.conf -r ./mypipe
>>
>> greets
>>
>> felix
>>
>> On 28/01/17 14:52, Paul Li wrote:
>> > I've got a pcap file that keep adding new network data. I know Snort can
>> > read a file, but is there a way Snort can read the continuously added
>> > data to the file?
>> >
>> > Thanks,
>> > Paul
>> >
>> >
>> > ------------------------------------------------------------
>> ------------------
>> > Check out the vibrant tech community on one of the world's most
>> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> >
>> >
>> >
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>> >
>>
>> --
>> Felix Erlacher
>> ccs-labs.org/~erlacher
>>
>> Key-ID:4EAC0959
>>
>>
>>
>> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot______
> _________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> <javascript:_e(%7B%7D,'cvml','Snort-users at lists.sourceforge.net');>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170130/8a068e6b/attachment.html>


More information about the Snort-users mailing list