Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: a question

From: Phil Wood <cpw () lanl gov>
Date: Mon, 11 Feb 2002 18:01:47 -0700
On Mon, Feb 11, 2002 at 02:32:17PM -0600, Coming at Ya Straight outta Humboldt Park wrote:


I saw your recent post about snort core-dumping, and I was wondering if it
would be possible to get a copy of the script your are utilizing to
restart snort/and prevent looped processes.  


I'll try and find some time to get them together.  The problem is that
they are specific to a snort loaded with a libpcap which I've modified
(Linux only) to timeout when the packet time has exceeded the specified
timeout (julian seconds) time.  That and a 32768 shared memory ring buffer
make for relatively good packet capture.  (I'm sure it's not as good
ad BSD ^%)

Essentialy there are just two shell scripts, the first is a while loop,
and the second starts up snort.  I've come up with my own file
naming scheme.  Example:

Datafile       548267 Feb 11 17:47 /log/all/bb20020211.1735  <- -b option
Datafile        14636 Feb 11 17:46 /log/all/bb20020211.1735.scan <- from 
                                                                    portscan
I modified the portscan preprocessor to only generate entries in the.scan
file.  They look like this:

Feb 11 17:35:34 129.70.11.232:20 -> 192.16.3.161:2015 SYN ******S*

and are not amenable to ACID which I sometimes use, but have lately decided
to accomplish with a post process of the pcap file (-b).

where bb is an extension that makes this instance unique, and the remainder
should be obvious.

Also, in the outer loop, if the duration of a run (endtime-starttime from
the date program (date '+%s'), I quit and phone home.  %^)

PS: Do you happen to live in the California redwoods, and go surfing in
the Pacific Ocean, when not snorting [in the more mundane sense of the
word]?



best regards,
/dn

*****************************************************************
One person's paranoia is another person's engineering redundancy.

                                      - Marcus J. Ranum
*****************************************************************
http://www.pyro.net/~daniel/key.htm



-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: