Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

This DAQ module is simple in it self. Its goal is to read PCAP file in spooled mode.

branch: master

Minor release update (no functionality changes)

Added : Merged YAF support without --enable switch
Added : DAQ variable for operation_mode
Fixed : compilation warning
Updated : default PSRF windows from 50 to 2000 packets
Updated : version to 4

If you update to this version you will need to create a new PSRF file
since the PSRF file size has changed.
latest commit 3752d6ea90
Eric Lauzon authored December 04, 2012
Octocat-spinner-32 m4 Initial Commit. September 16, 2012
Octocat-spinner-32 Makefile.am Initial Commit. September 16, 2012
Octocat-spinner-32 README Minor release update (no functionality changes) December 05, 2012
Octocat-spinner-32 TODO Minor release update (no functionality changes) December 05, 2012
Octocat-spinner-32 autogen.sh Initial Commit. September 16, 2012
Octocat-spinner-32 configure.ac Minor release update (no functionality changes) December 05, 2012
Octocat-spinner-32 daq_pcap_spooler.c Minor release update (no functionality changes) December 05, 2012
Octocat-spinner-32 daq_pcap_spooler.h Minor release update (no functionality changes) December 05, 2012
README
#
#
# DAQ_PCAP_SPOOLER v4
#
# (c) 2012 Eric Lauzon <beenph@gmail.com>
#
#
# Which came first, the pig or the barn?
#

#
# Description
#
#

 This DAQ module is simple in it self. Its goal is to read PCAP file in spooled mode.
 For snort people its like barnyard(X) for snort.

 This DAQ module monitor a directory for specific prefixed pcap file and as they grow, new packets are sent to snort 
 for analysis without loosing detection context. 

 The module also has the ability to archive processed pcap file to a defined directory.

 The module create a PSRF (PCAP SPOOLER REFERENCE FILE) think waldo file (for barnyard(x) folks), that will allow
 snort to resume its processing on halt.

#
# Compilation
#
 extract
 run ./autogen.sh
 ./configure --enable-shared
 make
 make install OR copy .libs/daq_pcap_spooler.so to your favorite DAQ library directory and enjoy.


#
# Configure option
#
[--enable-largfile]
Support for >2gb capture file.


#
# DAQ Variables:
# 


# operation_mode
#
# Default: pcap

  Define what type of file to monitor support (pcap|PCAP or yaf|YAF)

# file_prefix
#
# Default: daemonlogger.pcap

  pcap file prefix being watched in the spool directory.

# spool_directory
#
# Default: /var/log/snort/log

  Spool monitor directory where pcap file with the file_prefix are located.


# archive_directory
#
# Default: /var/log/snort/archive

 If enble_archive is enabled, and the DAQ module is done procesing its current pcap file, 
 and a new file arrive or it start processing a new file, this is the location
 where the old file will be written.

# block_size_read
#
# Default: 128

 The default buffering done by the DAQ module on the pcap file integer * filesystem block size.

# pcap_reference_file
#
# Default: /var/log/snort/PSRF

 Full path to the file that will be used as a pointe/referencer to continue processing if snort is stoped.

# packet_update_window
#
# Default: 50

  The number of processed packet from the current pcap file read before writing to the pcap_refence_file


# enable_archive
#
# Default: 0 (off)

 Enable archiving of processed pcap file (moved to defined archive_directory)

# enable_debug
#
# Default: 0 (off)
 Enable printing of a few usefull information (for debugging)
	
#	
# Snort Usage
#
# snort  --daq-dir /usr/local/lib/daq --daq pcap_spooler --daq-var file_prefix=daemonlogger.pcap --daq-var enable_archive=1 --daq-var pcap_reference_file=snortXXX_PSRF etc....
#

#
# TODO/Comments/Bugs/Requests/etc
#
# 

  Mail me 
Something went wrong with that request. Please try again.