[Oisf-users] A few questions about logging.
Brandon Lattin
lattin at umn.edu
Tue Aug 5 20:00:43 UTC 2014
Cooper,
I've redirected traffic via tcpdump -> box1 netcat -> box2 netcat listener
-> pipe -> suricata (pretty hackish, I know!)
I remember it working without issue. Not quite the same task, but perhaps
similar enough.
Here's the related commands from my .bash_history
nc -l 10101 > temp.pcap &
/usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -r
./temp.pcap &
Suricata remained running as long as the netcat listener was operational.
Hope this helps!
On Tue, Aug 5, 2014 at 2:30 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I tried setting up a bunch of 'cat' listeners that redirected to
> /dev/null as a test, but most of them terminated almost immediately
> after starting suricata. I suspect the internal buffers aren't big
> enough for the amount of data the suricata threads are producing.
>
> Doing some googling it looks like the "dummy" network interface is what
> would probably work the best for doing raw packet IPC with suricata:
>
> http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Dummy_Interface
>
> The idea would be set virtual interfaces on the dummy device as such:
>
> ifconfig dummy0:1
> ifconfig dummy0:2
> ifconfig dummy0:3
>
> ... and then write the post-processed raw packets to the virtual
> interfaces, one per thread. Unless I'm missing something this should be
> a workable solution, but as we have seen I tend to miss things!
>
> - -Coop
>
> On 8/5/2014 4:21 AM, Victor Julien wrote:
> > On 08/05/2014 05:32 AM, Cooper F. Nelson wrote:
> >> Yup, I don't understand named pipes. You need to attach the consumer
> >> process to all the pipes first before starting suricata, otherwise it
> >> will block the process.
> >
> > So did you find a way to make it work?
> >
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJT4TDlAAoJEKIFRYQsa8FWLjMIALpOqei7ifCdxxe56DV/dER2
> ynka5DNl7ebKVPItkHJZYyhcz9SPWz8U+4kkeYmRZ0QF5Mv4neWITOK+99Dka2nM
> hDn0otrlPHO1XLkG7+UnbX2b0cu5nGmv8cUILyCb5EfLBXOLe6AFlsMjrm906ArN
> D+F4kXZcTfbhlZ51CWwG2efczIrP7UZL89YYOb4SVCfh5WYrrPKFe/OW2jTO6avu
> KxvzTQXqYim1D3Gb9+6So4hLjF8DaqWW6qjfDMkDD6VlUl90Ut8kXmQgqrchBn3q
> i3ROr2YA5ok2ts7XM7Ew0dz761AEE96I96R87ZcTxP2SPRJR/Ubevr9wvJnSbpI=
> =pmhG
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
--
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140805/c185c546/attachment-0002.html>
More information about the Oisf-users
mailing list