-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
117 lines (84 loc) · 2.43 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#
#
# DAQ_PCAP_SPOOLER v4
#
# (c) 2012 Eric Lauzon <[email protected]>
#
#
# Which came first, the pig or the barn?
#
#
# Description
#
#
This DAQ module is simple in it self. Its goal is to read PCAP file in spooled mode.
For snort people its like barnyard(X) for snort.
This DAQ module monitor a directory for specific prefixed pcap file and as they grow, new packets are sent to snort
for analysis without loosing detection context.
The module also has the ability to archive processed pcap file to a defined directory.
The module create a PSRF (PCAP SPOOLER REFERENCE FILE) think waldo file (for barnyard(x) folks), that will allow
snort to resume its processing on halt.
#
# Compilation
#
extract
run ./autogen.sh
./configure --enable-shared
make
make install OR copy .libs/daq_pcap_spooler.so to your favorite DAQ library directory and enjoy.
#
# Configure option
#
[--enable-largfile]
Support for >2gb capture file.
#
# DAQ Variables:
#
# operation_mode
#
# Default: pcap
Define what type of file to monitor support (pcap|PCAP or yaf|YAF)
# file_prefix
#
# Default: daemonlogger.pcap
pcap file prefix being watched in the spool directory.
# spool_directory
#
# Default: /var/log/snort/log
Spool monitor directory where pcap file with the file_prefix are located.
# archive_directory
#
# Default: /var/log/snort/archive
If enble_archive is enabled, and the DAQ module is done procesing its current pcap file,
and a new file arrive or it start processing a new file, this is the location
where the old file will be written.
# block_size_read
#
# Default: 128
The default buffering done by the DAQ module on the pcap file integer * filesystem block size.
# pcap_reference_file
#
# Default: /var/log/snort/PSRF
Full path to the file that will be used as a pointe/referencer to continue processing if snort is stoped.
# packet_update_window
#
# Default: 50
The number of processed packet from the current pcap file read before writing to the pcap_refence_file
# enable_archive
#
# Default: 0 (off)
Enable archiving of processed pcap file (moved to defined archive_directory)
# enable_debug
#
# Default: 0 (off)
Enable printing of a few usefull information (for debugging)
#
# Snort Usage
#
# snort --daq-dir /usr/local/lib/daq --daq pcap_spooler --daq-var file_prefix=daemonlogger.pcap --daq-var enable_archive=1 --daq-var pcap_reference_file=snortXXX_PSRF etc....
#
#
# TODO/Comments/Bugs/Requests/etc
#
#
Mail me