Snort mailing list archives
RE: same tcpdump.log to remote log server instead oflocal sensor
From: "samwun" <samwun () hgcbroadband com>
Date: Wed, 28 Jan 2004 18:23:44 +0800
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Wednesday, January 28, 2004 5:42 PM To: samwun Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] same tcpdump.log to remote log server instead oflocal sensor On Tue, 2004-01-27 at 23:14, samwun wrote:
The snort sensor save tcpdump.log files to local sensor directory. As tcpdump.log files that generated by snort contains payload information for in-depth analysis, it is best for snort generate these tcpdump.log files to a remote syslog server in near real-time mode.
-Full ASCII dump or full packet dump into a database happens in real-time -mode and is useful for in-depth analysis. I'm not sure why you need -tcpdump format in particular. (I get emails and IRC notifications every -couple minutes, emails with full ASCII dump). Is the following configuration in snort.conf will do the trick? output log_unified: filename snort.log, limit 128 However, the question:
Does anyone know how to generate these tcpdump.log files from snort in a remote server in the near real-time mode?
can be answered with "not yet". I'm planning to write a modification to Snort that allows remote transfers of data for output through any output plugin, including tcpdump. (I started planning last year Feb but had to shelve the project due to time constraints. I should be able to pick up on it later this spring). Stay tuned to snort-users for an announcement later this year. Regards, Frank ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.1.0 bugs ? Koay Yee Chen (Jan 27)
- same tcpdump.log to remote log server instead of local sensor samwun (Jan 27)
- Re: same tcpdump.log to remote log server instead of local sensor Frank Knobbe (Jan 28)
- RE: same tcpdump.log to remote log server instead oflocal sensor samwun (Jan 28)
- RE: same tcpdump.log to remote log server instead oflocal sensor samwun (Jan 28)
- RE: same tcpdump.log to remote log server instead oflocal sensor Frank Knobbe (Jan 30)
- Re: same tcpdump.log to remote log server instead of local sensor Frank Knobbe (Jan 28)
- same tcpdump.log to remote log server instead of local sensor samwun (Jan 27)
- <Possible follow-ups>
- snort 2.1.0 bugs ? Koay Yee Chen (Jan 27)