Snort mailing list archives
Re: Snort read a incremental file
From: Alberto Colosi <alcol () hotmail com>
Date: Mon, 30 Jan 2017 20:31:01 +0000
possible to evaluate a gateway ......... routing ............ ever tought it yes a bandwith trouble coud be involved don't only change default gateway but you need to create a gaeway with two lan interface with different subnets and a switch where to attach the gateway and servers if not icmp-redirect and other routing and network signals could redirect traffic to best paths ! unsure if only gateways use it so best to really create a new network segment. Unsure on RIP v1 and v2 ....... OSPF IGRP EIGRP and BGP are only for gateways http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html [http://www.cisco.com/web/fw/i/logo-open-graph.gif]<http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html> When Are ICMP Redirects Sent? - Cisco<http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html> www.cisco.com This document discusses ICMP redirects and when redirects happen in a network. ________________________________ From: Paul Li <paul () scybersecurity com> Sent: Monday, January 30, 2017 8:39 PM To: Joel Esler (jesler) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort read a incremental file Looking for a way that Snort monitors multiple servers but don't want to install sensors on these servers. So try to use tcpdump sniffing the network on these servers and send the data to a central server where Snort is deployed. First thought is to write file(I.e. as Felix advice using named pipe) but realize it works for monitoring one server, but may not multiple servers.... is there a possible way do that? How about set up a virtual network interfac on the snort server and let tcpdump write data from those targeting servers to that remote virtual interface on the snort server? Thanks, Paul On Monday, January 30, 2017, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: Is there a particular reason that you are doing it this way, or can you just read directly from the network interface? -- Joel Esler | Talos: Manager | jesler () cisco com On Jan 30, 2017, at 10:42 AM, Paul Li <paul () scybersecurity com> wrote: Thanks Felix. That works well for my issue. Much appreciated. A follow up question: if I have a multiple pipes like this one, would there be any order how snort reads them? Thanks, Paul On Saturday, January 28, 2017, Felix Erlacher <felix.erlacher () uibk ac at> wrote: Hi Paul, On a decent OS you can write pcap data to a named pipe and make snort read form that named pipe. That might be a solution in your case. Example on Debian: #mkfifo mypipe than make your program write data to that file, and with snort simply #snort -c snort.conf -r ./mypipe greets felix On 28/01/17 14:52, Paul Li wrote:
I've got a pcap file that keep adding new network data. I know Snort can read a file, but is there a way Snort can read the continuously added data to the file? Thanks, Paul ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
-- Felix Erlacher ccs-labs.org/~erlacher<http://ccs-labs.org/~erlacher> Key-ID:4EAC0959 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://SlashDot.org>! http://sdm.link/slashdot_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort read a incremental file Paul Li (Jan 28)
- <Possible follow-ups>
- Fwd: Re: Snort read a incremental file Felix Erlacher (Jan 28)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Joel Esler (jesler) (Jan 30)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Alberto Colosi (Jan 30)
- Re: Snort read a incremental file Paul Li (Jan 30)
- Re: Snort read a incremental file Felix Erlacher (Jan 30)