[Snort-users] Tapping into the ring buffer
sekure
I am running snort compiled against Phil Woods modified libpcap
library and I was thinking if it was possible to tap into the buffer
that it creates with other applications without having to recapture
the packets off the wire if i wanted to run some additional
statistical or gathering tools on them. For example, if i run snort
and tcpdump side by side, on the same interface, are they both
grabbing packets, and is this introducing any sort of latency? Could
I for example run snort and ntop and PADS (passive.sourceforge.net)
side by side on the same interface without introducing any more
slowdown (other than what is caused by processing within the
individual application).
Does anyone know how much impact, if any, is introduced by running
additional promiscious mode applications, specifically due to
sniffing, or if there is any interaction at all?
I am not 100% clear about what happens deep in the guts of the OS, so
i need someone to set me straight.
Thanks in advance.
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Harry Hoffman
Will something like this work for you:
PCAP_FRAMES=32000 /usr/sbin/tcpdump -i eth0 -C 500 -w pcap.dmp
and then
snort -r pcap.dmp -c /etc/snort/snort.conf
you'd need a loop for the snort bit but that should be pretty
straightforward.
I believe that the apps are independent of each other, which is why you
can run a host based firewall and still have snort grab all of the
packets (someone please correct me if I'm wrong).
Also, you set the interface into promisc mode. The first application
that does so allows any other application to not need to set promisc
(again please correct me if I'm wrong).
HTH,
Harry
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
sekure
simpler. Besides, depending on the speed of your processor vs. the
load of the network snort might quit when it finishes processing the
last packet in the file, which could happen before tcpdump captures
its 500 Megs worth and rotates the files.
I guess I was thinking that this ring buffer has to exist somewhere in
memory, It would be nice if other applications could read it too, in
realtime.
Thanks,
On 8/19/05, Harry Hoffman <hhof...@ip-solutions.net> wrote:
> Hi Sekure,
>=20
> Will something like this work for you:
>=20
> PCAP_FRAMES=3D32000 /usr/sbin/tcpdump -i eth0 -C 500 -w pcap.dmp
> and then
>=20
> snort -r pcap.dmp -c /etc/snort/snort.conf
> you'd need a loop for the snort bit but that should be pretty
> straightforward.
>=20
> I believe that the apps are independent of each other, which is why you
> can run a host based firewall and still have snort grab all of the
> packets (someone please correct me if I'm wrong).
>=20
> Also, you set the interface into promisc mode. The first application
> that does so allows any other application to not need to set promisc
> (again please correct me if I'm wrong).
>=20
>=20
> HTH,
> Harry
>=20
> sekure wrote:
> > Snorters,
> >
> > I am running snort compiled against Phil Woods modified libpcap
> > library and I was thinking if it was possible to tap into the buffer
> > that it creates with other applications without having to recapture
> > the packets off the wire if i wanted to run some additional
> > statistical or gathering tools on them. For example, if i run snort
> > and tcpdump side by side, on the same interface, are they both
> > grabbing packets, and is this introducing any sort of latency? Could
> > I for example run snort and ntop and PADS (passive.sourceforge.net)
> > side by side on the same interface without introducing any more
> > slowdown (other than what is caused by processing within the
> > individual application).
> >
> > Does anyone know how much impact, if any, is introduced by running
> > additional promiscious mode applications, specifically due to
> > sniffing, or if there is any interaction at all?
> >
> > I am not 100% clear about what happens deep in the guts of the OS, so
> > i need someone to set me straight.
> >
> > Thanks in advance.
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Pract=
ices
> > Agile & Plan-Driven Development * Managing Projects & Teams * Testing &=
QA
> > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5=
sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort...@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
Joe Patterson
little program that was much like a stripped-down version of tcpdump
combined with tee. It would basically read from one pcap buffer and write
to N output files, and stdout. (I also gave it the nice feature that, on a
HUP, it would stat its output files, and for each one that didn't exist, it
would close and re-open it). So, in the end, I had snort running ( |
snort -r -) and dealing with things in real-time, and then another process
that would rotate my output files (with that HUP) and do post-processing
with whatever else I needed to use.
It *seemed* to work fairly efficiently.
-Joe
> -----Original Message-----
> From: snort-us...@lists.sourceforge.net
> [mailto:snort-us...@lists.sourceforge.net]On Behalf Of sekure
> Sent: Monday, August 22, 2005 9:16 AM
> To: Harry Hoffman
> Cc: snort...@lists.sourceforge.net
> Subject: Re: [Snort-users] Tapping into the ring buffer
>
>
> I was thinking of that, but ideally i was looking for something
> simpler. Besides, depending on the speed of your processor vs. the
> load of the network snort might quit when it finishes processing the
> last packet in the file, which could happen before tcpdump captures
> its 500 Megs worth and rotates the files.
>
> I guess I was thinking that this ring buffer has to exist somewhere in
> memory, It would be nice if other applications could read it too, in
> realtime.
>
> Thanks,
>
> On 8/19/05, Harry Hoffman <hhof...@ip-solutions.net> wrote:
> > Hi Sekure,
> >
> > Will something like this work for you:
> >
> > PCAP_FRAMES=32000 /usr/sbin/tcpdump -i eth0 -C 500 -w pcap.dmp
> > and then
> >
> > snort -r pcap.dmp -c /etc/snort/snort.conf
> > you'd need a loop for the snort bit but that should be pretty
> > straightforward.
> >
> > I believe that the apps are independent of each other, which is why you
> > can run a host based firewall and still have snort grab all of the
> > packets (someone please correct me if I'm wrong).
> >
> > Also, you set the interface into promisc mode. The first application
> > that does so allows any other application to not need to set promisc
> > (again please correct me if I'm wrong).
> >
> >
> > HTH,
> > Harry
> >
> > sekure wrote:
> > > Snorters,
> > >
> > > I am running snort compiled against Phil Woods modified libpcap
> > > library and I was thinking if it was possible to tap into the buffer
> > > that it creates with other applications without having to recapture
> > > the packets off the wire if i wanted to run some additional
> > > statistical or gathering tools on them. For example, if i run snort
> > > and tcpdump side by side, on the same interface, are they both
> > > grabbing packets, and is this introducing any sort of latency? Could
> > > I for example run snort and ntop and PADS (passive.sourceforge.net)
> > > side by side on the same interface without introducing any more
> > > slowdown (other than what is caused by processing within the
> > > individual application).
> > >
> > > Does anyone know how much impact, if any, is introduced by running
> > > additional promiscious mode applications, specifically due to
> > > sniffing, or if there is any interaction at all?
> > >
> > > I am not 100% clear about what happens deep in the guts of the OS, so
> > > i need someone to set me straight.
> > >
> > > Thanks in advance.
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > > September 19-22, 2005 * San Francisco, CA * Development
> Lifecycle Practices
> > > Agile & Plan-Driven Development * Managing Projects & Teams *
> Testing & QA
> > > Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort...@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users
Milani Paolo
I may be wrong, but I think that each sniffing application creates a new =
packet socket, and this means that if you have, say, snort and tcpdump =
both sniffing the same traffic, each packet is queued into two socket =
queues (and gets copied. An additional copy is made to send the packet =
into the normal IP processing queue unless it is disabled for that =
interface). Phil wood's pcap then kicks in to avoid that each of these =
packets is copied again into user space (because the socket queue is =
memory mapped into user space and can be accessed directly).
Whatever the details are, since when an application gets access to the =
memory of a packet it can modify them (snort does that too, rpc_decode i =
think is an example), it would be unsafe not to make a different copy =
for each application.
Sharing access to the sniffed packets would require a rather large =
amount of tampering, either in the kernel or in the applications =
involved.
So having multiple sniffing applications will slow down snort.. how big =
a slowdown i guess you won't know until you try it out.
Paolo
Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia =
S.p.A.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please send an e_mail to=20
Mail...@tilab.com. Thank you
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D