Packet Logging in Sguil

From NSMWiki
Jump to: navigation, search

Sguil's built-in packet logging and retrieval system uses a wrapper (log_packets.sh) around a special instance of Snort to log packets to the disk, which are then read by the PCAP agent (pcap_agent.tcl). For most users, this is good enough.

However, some sites have special needs, whether they need a packet logger with a smaller footprint, a system which provides better retrieval performance with huge captures, or whatever. It is possible to replace the pcap subsystem with minimal impact on the rest of sguil. See this blog entry for an example of two alternatives subsystems based on DaemonLogger and SANCP.