On Tue, Oct 30, 2012 at 12:35 PM, Doug Burks <[email protected]> wrote:
> I'd like to use netsniff-ng to replace daemonlogger in my Security > Onion distribution: > http://securityonion.blogspot.com Cool, happy to hear! :) > So far, I've got netsniff-ng 0.5.7 packaged in our Ubuntu Launchpad PPA: > https://launchpad.net/~securityonion/+archive/test/+sourcepub/2761680/+listing-archive-extra Probably, you're better off taking a current snapshot from the Git. > Now I need to update our scripts to run netsniff-ng with the same > specifications as daemonlogger. We currently run daemonlogger as > follows: > daemonlogger -u sguil -g sguil -i $INTERFACE -f > /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf -l > /nsm/sensor_data/$HOSTNAME-$INTERFACE/dailylogs/$DATE -n snort.log -s > 134217728 > > Let's look at each of these options: > > -u sguil -g sguil > According to the netsniff-ng FAQ, netsniff-ng must be run as root, so > this is not possible. You can also run it as a user. Have a look at the latest INSTALL file: https://github.com/gnumaniacs/netsniff-ng/blob/master/INSTALL#L81 > -i $INTERFACE > This should be the same option in netsniff-ng. Yep. or "--in" works as well. > -f /etc/nsm/$HOSTNAME-$INTERFACE/bpf-pcap.conf > This should be the same option in netsniff-ng, but my understanding is > that I'll need to convert my "human-readable" bpf-pcap.conf using > "tcpdump -dd"? Yes, it you want to use filters and bpf-pcap.conf contains tcpdump-like filters, run them through "tcpdump -dd <my filter>" > out.ops and then pass out.ops to netsniff-ng via "--filter out.ops". That's it; netsniff-ng will then automatically enable the BPF JIT if it's available in your kernel. This feature translates BPF filters into architecture optimized machine opcodes within the kernel. > -l /nsm/sensor_data/$HOSTNAME-$INTERFACE/dailylogs/$DATE > In netsniff-ng, looks like I'll use the -o option to specify the > output directory. Yes, e.g. "netsniff-ng --in eth0 --out /opt/probe/ -s --interval 30 -b 0" would create a new pcap file every 30secs in the /opt/probe/ folder. > -n snort.log > This makes daemonlogger name the files in the output directory > snort.log.$TIMESTAMP. Is there an equivalent option in netsniff-ng? No, currently there is no prefix option. If you like feel free to hack the code, it should actually not be too difficult. > -s 134217728 > This configures daemonlogger to rotate to a new pcap file when it > reaches 129MB. Is there an equivalent option in netsniff-ng? No, we only rotate if a specified interval in seconds runs out. > Thanks in advance for any assistance! Also have a look into https://github.com/gnumaniacs/netsniff-ng/tree/master/Documentation It should address quite a lot of things and is more up-2-date than the faq. For everything else, the mailing list of course. ;) Thanks, Daniel --
