Snort mailing list archives
RE: Snort / SnortSnarf question about packet captur e filenames
From: Matt Yackley <Matt.Yackley () perkinswill com>
Date: Wed, 26 Jun 2002 09:20:53 -0500
Thanks for the reply, but this isn't quite what I'm looking for, I would like to be able to just tar the entire tree, delete the tree and start fresh every week, then take the tar file to a windows machine untar, view and burn on CD as is. We can then have every week's alerts complete with all of the SnortSnarf pages intact and working. We can then use these CD's for review/research, while keeping the current SnortSnarf reports a little cleaner and easier to read. The problem right now is that the SnortSnarf pages don't link to the packet capture files and you have to manually change the URL from a : to a _ to view the packets. If I leave Snort at the default the files can't be read from Windoze boxes due to the ":". Matt -----Original Message----- From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov] Sent: Wednesday, June 26, 2002 8:53 AM To: 'Matt Yackley'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort / SnortSnarf question about packet captur e filenames You could consider doing what I have done to facilitate this with ease. I simply locked down ipchains to allow only tcp port 443 traffic from a single host, in addition to this, I installed Apache, mod_ssl and openssl and created self-signed CA, server and client certs, configured apache for SSL and then designed the entire model for IP restricted access with basic authentication and "required" certificates. That way, I am able to connect up to the site (with the alerts and portscan logs) with 4 levels of autentication and authorization. if you are primarily interested in going with downloadable files then setup apache for directory listing instead -----Original Message----- From: Matt Yackley [mailto:Matt.Yackley () perkinswill com] Sent: Wednesday, June 26, 2002 7:13 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort / SnortSnarf question about packet capture filenames Hello all, I run Snort & SnortSnarf on a Linux box, but would like the ability to move the data off and be able to read it on a Windows box. Since Windows can't handle filenames like TCP:xxxxx-xxx, I have changed the Snort code to log the packet capture files with TCP_xxxxx-xxx. Now I need to get SnortSnarf to create the proper links on the alert details page. I'm not a programmer or perl scripter by any means, however I did try a couple of changes to the HTMLOutput.pm file, but they did not help. The one change that I thought would have worked was changing 'logfileprototerm' =':' to ='_'. Any ideas on where I need to change SnortSnarf to make this work? Thanks, Matt Yackley ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort / SnortSnarf question about packet captur e filenames Slighter, Tim (Jun 26)
- <Possible follow-ups>
- RE: Snort / SnortSnarf question about packet captur e filenames Matt Yackley (Jun 26)