[Oisf-users] A few questions about logging.

Brandon Lattin lattin at umn.edu
Tue Aug 5 20:01:45 UTC 2014


I should mention, this was using a RHEL 6.5 box.


On Tue, Aug 5, 2014 at 3:00 PM, Brandon Lattin <lattin at umn.edu> wrote:

> Cooper,
>
> I've redirected traffic via tcpdump -> box1 netcat -> box2 netcat listener
> -> pipe -> suricata (pretty hackish, I know!)
>
> I remember it working without issue. Not quite the same task, but perhaps
> similar enough.
>
> Here's the related commands from my .bash_history
>
> nc -l 10101 > temp.pcap &
> /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata.yaml -r
> ./temp.pcap &
>
> Suricata remained running as long as the netcat listener was operational.
>
> Hope this helps!
>
>
>
> On Tue, Aug 5, 2014 at 2:30 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I tried setting up a bunch of 'cat' listeners that redirected to
>> /dev/null as a test, but most of them terminated almost immediately
>> after starting suricata.  I suspect the internal buffers aren't big
>> enough for the amount of data the suricata threads are producing.
>>
>> Doing some googling it looks like the "dummy" network interface is what
>> would probably work the best for doing raw packet IPC with suricata:
>>
>> http://wiki.networksecuritytoolkit.org/nstwiki/index.php/Dummy_Interface
>>
>> The idea would be set virtual interfaces on the dummy device as such:
>>
>> ifconfig dummy0:1
>> ifconfig dummy0:2
>> ifconfig dummy0:3
>>
>> ... and then write the post-processed raw packets to the virtual
>> interfaces, one per thread.  Unless I'm missing something this should be
>> a workable solution, but as we have seen I tend to miss things!
>>
>> - -Coop
>>
>> On 8/5/2014 4:21 AM, Victor Julien wrote:
>> > On 08/05/2014 05:32 AM, Cooper F. Nelson wrote:
>> >> Yup, I don't understand named pipes.  You need to attach the consumer
>> >> process to all the pipes first before starting suricata, otherwise it
>> >> will block the process.
>> >
>> > So did you find a way to make it work?
>> >
>>
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQEcBAEBAgAGBQJT4TDlAAoJEKIFRYQsa8FWLjMIALpOqei7ifCdxxe56DV/dER2
>> ynka5DNl7ebKVPItkHJZYyhcz9SPWz8U+4kkeYmRZ0QF5Mv4neWITOK+99Dka2nM
>> hDn0otrlPHO1XLkG7+UnbX2b0cu5nGmv8cUILyCb5EfLBXOLe6AFlsMjrm906ArN
>> D+F4kXZcTfbhlZ51CWwG2efczIrP7UZL89YYOb4SVCfh5WYrrPKFe/OW2jTO6avu
>> KxvzTQXqYim1D3Gb9+6So4hLjF8DaqWW6qjfDMkDD6VlUl90Ut8kXmQgqrchBn3q
>> i3ROr2YA5ok2ts7XM7Ew0dz761AEE96I96R87ZcTxP2SPRJR/Ubevr9wvJnSbpI=
>> =pmhG
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>



-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140805/505b1621/attachment-0002.html>


More information about the Oisf-users mailing list