Re: [Sguil-devel] Getting rid of ssh/scp for retrieval of pcap data
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-devel] Getting rid of ssh/scp for retrieval of pcap data
|
From: Michael B. <mi...@ay...> - 2004-05-25 02:06:49
|
See the attached patch for proposed changes. /Mike On Mon, 2004-05-24 at 19:46, Michael Boman wrote: > Hi guys, > > I know that you are all sleeping at this moment so I decided to draft a > email about the things I've been thinking of instead of bother you on > IRC. > > > Right now xscriptd does ssh/scp to get the data stored at the sensor, > and our main long-term objectives is to have sensor_agent do everything > - not only uploading of ssn/portscan data. > > I am currently doing copy&paste on some of the existing code to > facilitate pcap retrieval using the sensor_agent. > > To think of it, all the code we need to do the actual retrieval does > already exist. > > 1) Getting the right session from the right file is the same code that > xscriptd uses to handle local sensor. > > 2) Code that sends raw pcap to recipient is the same code as > sguil.tk/xscriptd uses to send the pcap to ethereal. If you think > > sensor == system that runs xscriptd and > server == system that runs sguil.tk > > (instead of sensor == sensor_agent, server == xscriptd) > > the process becomes pretty obvious, and xscriptd becomes more like a > command proxy/gateway to access the sensors. > > I am currently trying to pretend that I know TCL/TK and hack it in. > Check with me (when you wake up) on IRC for current progress status. -- Michael Boman |