Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: help improving time it takes to read compressed tcpdumps

From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Wed, 7 Nov 2001 12:30:35 -0600
It looks like snort does accept input from STDIN if you use the "-" 
special file:

gzip -dc dumpfile.log.gz | snort -devr -

This is not mentioned in the man page for 1.7 or 1.8.2 and should
probably be added.  But it's old school Unix anyway.

At the very least, I would recommend than when you decompress to read 
into snort, you leave the original compressed file in place to avoid
the re-compress step:

gzip -dc dumpfile.log.gz > dumpfile.log && \
        snort -devr dumpfile.log && \
        rm dumpfile.log

The zlip added to snort would be nice, too, like Ethereal does.

Regards,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

-----Original Message-----
From: Erik Melander [mailto:Emelander () wyndham com]
Sent: Wednesday, November 07, 2001 11:41 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] help improving time it takes to read compressed
tcpdumps


As I understand it, Snort does not accept tcpdump data from stdin, but
requires the use of the "-r" flag to read tcpdumps.  Currently, I pull
compressed tcpdumps from my sensors, aggregate them on the analyzing
machine, uncompress them, read them into Snort, and recompress them for
archival purposes.  I would like to use the Compress:Zlib perl module to
uncompress and compress on the fly while dumping the data into stdin (much
like the fetchem.pl script does on Shadow).  This should significantly
reduce the time it takes to read compressed tcpdumps into Snort.  Even
better would be the ability to compile zlib into snort so it can natively
read compressed tcpdumps.  If this is not possible, if anyone has any
suggestions for improving the time it takes for this process, I would love
to hear it.  Thanks!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: