[Snort-users] Snort read a incremental file

Alberto Colosi alcol at ...125...
Mon Jan 30 15:31:01 EST 2017


possible to evaluate a gateway ......... routing ............ ever tought it


yes a bandwith trouble coud be involved


don't only change default gateway but you need to create a gaeway with two lan interface with different subnets and a switch where to attach the gateway and servers


if not icmp-redirect and other routing and network signals could redirect traffic to best paths ! unsure if only gateways use it so best to really create a new network segment.


Unsure on RIP v1 and v2 ....... OSPF IGRP EIGRP and BGP are only for gateways


http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html

[http://www.cisco.com/web/fw/i/logo-open-graph.gif]<http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html>

When Are ICMP Redirects Sent? - Cisco<http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html>
www.cisco.com
This document discusses ICMP redirects and when redirects happen in a network.




________________________________
From: Paul Li <paul at ...17768...>
Sent: Monday, January 30, 2017 8:39 PM
To: Joel Esler (jesler)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort read a incremental file

Looking for a way that Snort monitors multiple servers but don't want to install sensors on these servers. So try to use tcpdump sniffing  the network on these servers and send the data to a central server where Snort is deployed. First thought is to write file(I.e. as Felix advice using named pipe) but realize it works for monitoring one server, but may not multiple servers.... is there a possible way do that? How about set up a virtual network interfac on the snort server and let tcpdump write data from those targeting servers to that remote virtual interface on the snort server?

Thanks,
Paul

On Monday, January 30, 2017, Joel Esler (jesler) <jesler at ...589...<mailto:jesler at ...589...>> wrote:
Is there a particular reason that you are doing it this way, or can you just read directly from the network interface?

--
Joel Esler | Talos: Manager | jesler at ...589...






On Jan 30, 2017, at 10:42 AM, Paul Li <paul at ...17768...> wrote:

Thanks Felix. That works well for my issue. Much appreciated.

A follow up question: if I have a multiple pipes like this one, would there be any order how snort reads them?

Thanks,
Paul

On Saturday, January 28, 2017, Felix Erlacher <felix.erlacher at ...17726...> wrote:
Hi Paul,

On a decent OS you can write pcap data to a named pipe and make snort
read form that named pipe. That might be a solution in your case.

Example on Debian:
#mkfifo mypipe
than make your program write data to that file, and with snort simply
#snort -c snort.conf -r ./mypipe

greets

felix

On 28/01/17 14:52, Paul Li wrote:
> I've got a pcap file that keep adding new network data. I know Snort can
> read a file, but is there a way Snort can read the continuously added
> data to the file?
>
> Thanks,
> Paul
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
>

--
Felix Erlacher
ccs-labs.org/~erlacher<http://ccs-labs.org/~erlacher>

Key-ID:4EAC0959



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170130/e423c601/attachment.html>


More information about the Snort-users mailing list