Thread: [Sguil-devel] Patch for using Daemonlogger in log_packets.sh
Status: Beta
Brought to you by:
bamm
From: Richard B. <tao...@gm...> - 2007-04-03 14:38:54
Attachments:
log_packets.sh.patch
|
I decided to look at replacing Snort with Daemonlogger (http://www.snort.org/dl/daemonlogger/) in log_packets.sh. The attached patch should make the right changes to the latest log_packets.sh from CVS. The only functionality not present in the new Daemonlogger log_packets.sh is the ability to enable -u sguil -g sguil -m 122 because Daemonlogger doesn't drop privileges. If you're wondering about footprint, on my FreeBSD 6.x system Snort in packet logger mode used 3708KB while Daemonlogger used 824KB. Richard |
From: Paul S. <pa...@ut...> - 2007-04-03 18:18:45
|
--On Tuesday, April 03, 2007 10:38:50 -0400 Richard Bejtlich=20 <tao...@gm...> wrote: > I decided to look at replacing Snort with Daemonlogger > (http://www.snort.org/dl/daemonlogger/) in log_packets.sh. The > attached patch should make the right changes to the latest > log_packets.sh from CVS. > > The only functionality not present in the new Daemonlogger > log_packets.sh is the ability to enable > > -u sguil -g sguil -m 122 > > because Daemonlogger doesn't drop privileges. > > If you're wondering about footprint, on my FreeBSD 6.x system Snort in > packet logger mode used 3708KB while Daemonlogger used 824KB. > Richard, will this be committed now? Or worked into the upcoming 0.7.0=20 update? (I'm wondering if I need to update the port or hold off until=20 0.7.0 is released.) Paul Schmehl (pa...@ut...) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ |
From: Richard B. <tao...@gm...> - 2007-04-03 18:20:26
|
On 4/3/07, Paul Schmehl <pa...@ut...> wrote: > > Richard, will this be committed now? Or worked into the upcoming 0.7.0 > update? (I'm wondering if I need to update the port or hold off until > 0.7.0 is released.) > Hi Paul, Let's see what Bamm says. Richard |
From: Bamm V. <bam...@gm...> - 2007-04-04 04:12:03
|
I think it's good to have options, but I don't think it's wise to make daemonlogger the default until it has the ability to drop privs. That's the reason I chose to use snort instead of tcpdump in the first place. Bammkkkk On 4/3/07, Richard Bejtlich <tao...@gm...> wrote: > On 4/3/07, Paul Schmehl <pa...@ut...> wrote: > > > > Richard, will this be committed now? Or worked into the upcoming 0.7.0 > > update? (I'm wondering if I need to update the port or hold off until > > 0.7.0 is released.) > > > > Hi Paul, > > Let's see what Bamm says. > > Richard > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Sguil-devel mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-devel > -- sguil - The Analyst Console for NSM http://sguil.sf.net |
From: Paul S. <pa...@ut...> - 2007-04-04 15:28:12
|
--On Tuesday, April 03, 2007 22:11:48 -0600 Bamm Visscher=20 <bam...@gm...> wrote: > I think it's good to have options, but I don't think it's wise to make > daemonlogger the default until it has the ability to drop privs. > That's the reason I chose to use snort instead of tcpdump in the first > place. > In FreeBSD ports, I can make daemonlogger an option. You make a good point = about not dropping privileges, though. Paul Schmehl (pa...@ut...) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ |
From: Richard B. <tao...@gm...> - 2007-04-04 15:41:45
|
On 4/4/07, Paul Schmehl <pa...@ut...> wrote: > --On Tuesday, April 03, 2007 22:11:48 -0600 Bamm Visscher > <bam...@gm...> wrote: > > > I think it's good to have options, but I don't think it's wise to make > > daemonlogger the default until it has the ability to drop privs. > > That's the reason I chose to use snort instead of tcpdump in the first > > place. > > > In FreeBSD ports, I can make daemonlogger an option. You make a good point > about not dropping privileges, though. > In IRC just now Marty said he is working on adding that. Maybe 0.9? Richard |