vortmax |
01-22-2008 10:39 AM |
packet logging
I need to set up a machine that will log all packets traversing a gateway. The gateway is a Cisco router, and I'm mirroring a port over, so getting the packets to the machine isn't the issue. It's the processing and handling that I need advice with.
There are two things I want to do with this set up. The first is to create daily (possibly hourly) pcap style binary files that will rotate on a monthly basis. This is easy to accomplish with daemonlogger. I just tell it to make a new file after x time and to keep y files.
The second thing is to pass this info into an analysis program. I'm looking at using splunk, which will give a ton of power in terms of searching and reporting. The only problem is that I need to feed the data into splunk. I have made a configuration bundle that will ingest the output of snort by directing it into a named pipe. One difficulty is that I wish to log the entire packet, but not really the hex part. So far snort is the only thing I've found that will log text of the packet contents and ignore the hex.
I can use snort to read the pcap files generated by daemonlogger, but the filenames change with every epoch and it needs some sort of buffering. If you start a file going and then have snort read it, snort will eventually hit the EOF and stop even though more stuff is being logged to it. I'd have to get it into a pipe so that snort didn't stop attempting to process it.
So any suggestions on how to get this into something that will be stable and work reliably? I've looked at things like ACID and BASE, but those are mostly for intrusion detection with snort. I'm not doing any filtering or processing....just logging every packet.
|