Snort mailing list archives
Re: a question
From: Phil Wood <cpw () lanl gov>
Date: Mon, 11 Feb 2002 18:01:47 -0700
On Mon, Feb 11, 2002 at 02:32:17PM -0600, Coming at Ya Straight outta Humboldt Park wrote:
I saw your recent post about snort core-dumping, and I was wondering if it would be possible to get a copy of the script your are utilizing to restart snort/and prevent looped processes.
I'll try and find some time to get them together. The problem is that they are specific to a snort loaded with a libpcap which I've modified (Linux only) to timeout when the packet time has exceeded the specified timeout (julian seconds) time. That and a 32768 shared memory ring buffer make for relatively good packet capture. (I'm sure it's not as good ad BSD ^%) Essentialy there are just two shell scripts, the first is a while loop, and the second starts up snort. I've come up with my own file naming scheme. Example: Datafile 548267 Feb 11 17:47 /log/all/bb20020211.1735 <- -b option Datafile 14636 Feb 11 17:46 /log/all/bb20020211.1735.scan <- from portscan I modified the portscan preprocessor to only generate entries in the.scan file. They look like this: Feb 11 17:35:34 129.70.11.232:20 -> 192.16.3.161:2015 SYN ******S* and are not amenable to ACID which I sometimes use, but have lately decided to accomplish with a post process of the pcap file (-b). where bb is an extension that makes this instance unique, and the remainder should be obvious. Also, in the outer loop, if the duration of a run (endtime-starttime from the date program (date '+%s'), I quit and phone home. %^) PS: Do you happen to live in the California redwoods, and go surfing in the Pacific Ocean, when not snorting [in the more mundane sense of the word]?
best regards, /dn ***************************************************************** One person's paranoia is another person's engineering redundancy. - Marcus J. Ranum ***************************************************************** http://www.pyro.net/~daniel/key.htm
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: a question Phil Wood (Feb 11)