Skip to content
/ DAQ_PCAP_SPOOLER Public

This DAQ module is simple in it self. Its goal is to read PCAP file in spooled mode.

3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

binf/DAQ_PCAP_SPOOLER

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
m4
m4
 
 
Makefile.am
Makefile.am
 
 
README
README
 
 
TODO
TODO
 
 
autogen.sh
autogen.sh
 
 
configure.ac
configure.ac
 
 
daq_pcap_spooler.c
daq_pcap_spooler.c
 
 
daq_pcap_spooler.h
daq_pcap_spooler.h
 
 

Repository files navigation

#
#
# DAQ_PCAP_SPOOLER v4
#
# (c) 2012 Eric Lauzon <[email protected]>
#
#
# Which came first, the pig or the barn?
#

#
# Description
#
#

 This DAQ module is simple in it self. Its goal is to read PCAP file in spooled mode.
 For snort people its like barnyard(X) for snort.

 This DAQ module monitor a directory for specific prefixed pcap file and as they grow, new packets are sent to snort 
 for analysis without loosing detection context. 

 The module also has the ability to archive processed pcap file to a defined directory.

 The module create a PSRF (PCAP SPOOLER REFERENCE FILE) think waldo file (for barnyard(x) folks), that will allow
 snort to resume its processing on halt.

#
# Compilation
#
 extract
 run ./autogen.sh
 ./configure --enable-shared
 make
 make install OR copy .libs/daq_pcap_spooler.so to your favorite DAQ library directory and enjoy.


#
# Configure option
#
[--enable-largfile]
Support for >2gb capture file.


#
# DAQ Variables:
# 


# operation_mode
#
# Default: pcap

  Define what type of file to monitor support (pcap|PCAP or yaf|YAF)

# file_prefix
#
# Default: daemonlogger.pcap

  pcap file prefix being watched in the spool directory.

# spool_directory
#
# Default: /var/log/snort/log

  Spool monitor directory where pcap file with the file_prefix are located.


# archive_directory
#
# Default: /var/log/snort/archive

 If enble_archive is enabled, and the DAQ module is done procesing its current pcap file, 
 and a new file arrive or it start processing a new file, this is the location
 where the old file will be written.

# block_size_read
#
# Default: 128

 The default buffering done by the DAQ module on the pcap file integer * filesystem block size.

# pcap_reference_file
#
# Default: /var/log/snort/PSRF

 Full path to the file that will be used as a pointe/referencer to continue processing if snort is stoped.

# packet_update_window
#
# Default: 50

  The number of processed packet from the current pcap file read before writing to the pcap_refence_file


# enable_archive
#
# Default: 0 (off)

 Enable archiving of processed pcap file (moved to defined archive_directory)

# enable_debug
#
# Default: 0 (off)
 Enable printing of a few usefull information (for debugging)
	
#	
# Snort Usage
#
# snort  --daq-dir /usr/local/lib/daq --daq pcap_spooler --daq-var file_prefix=daemonlogger.pcap --daq-var enable_archive=1 --daq-var pcap_reference_file=snortXXX_PSRF etc....
#

#
# TODO/Comments/Bugs/Requests/etc
#
# 

  Mail me

About

This DAQ module is simple in it self. Its goal is to read PCAP file in spooled mode.

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages