Snort mailing list archives
Re: tcpdump script
From: Joel Esler <eslerj () gmail com>
Date: Tue, 7 Apr 2009 19:23:33 -0400
May I suggest a method like Shadow? If you can find the old Shadow scripts, that's an excellent way to do it. Before I came to Sourcefire I did this exact thing. I had tcpdump logging on several sensors. Every hour, I had a script that would start tcpdump up, logging to a new file, and then stop the old one, and then gzip the old one. Then, every 5 minutes past the hour, I had a central machine that would reach out, grab these large tcpdump files and pull them up to a central location. I then had a ton of scripts that went through all these files for anomalies and what not. Then concept that I mirrored was the Shadow IDS concept, however, it worked very differently. Joel On Tue, Apr 7, 2009 at 7:07 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
Hi, I wanted to run tcpdump to capture all traffic on my snort sensor, so that if I want to go take a look at traffic based on snort alerts I could get more context. I’ve setup a couple of scripts to gzip the packet captures and send them to a storage server. My question is about starting tcpdump itself. I tried doing it in the same script that starts snort and barnyard, but this didn’t seem to work and I think it’s due to the fact that tcpdump needs to be run as root (?). So, I’ve created a root cron job that runs every five minutes will start tcpdump if it finds it not running (using “pidof tcpdump”). Not being a linux guru, is this the right way to approach this problem? Thanks, Shawn ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump script Jefferson, Shawn (Apr 07)
- Re: tcpdump script Joel Esler (Apr 07)
- Re: tcpdump script Jason Brvenik (Apr 07)
- Re: tcpdump script Joel Esler (Apr 07)
- Re: tcpdump script Bamm Visscher (Apr 07)
- <Possible follow-ups>
- Re: tcpdump script Nathaniel Richmond (Apr 07)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jack Pepper (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)
- Re: tcpdump script Jason Brvenik (Apr 08)
- Re: tcpdump script Leon Ward (Apr 09)
- Re: tcpdump script John Hally (Apr 08)
- Re: tcpdump script Leon Ward (Apr 08)