-1

This might be a bit complicated, I'll do my best to explain.

So I have a server running Bro/Snort IDS (not internet facing). On my Bro server I have a large number of pcaps of traffic obtained through a tap. What I'm trying to do is create a web app to run on the Bro server that allows me to send a GET containing tcpdump filter information such as source ip, source port, destination ip, etc, which will then trigger a Bash script to run tcpdump to go through all my pcap logs and create new pcaps of the filtered packets. Those packets will then be merged with mergecap.

I have the Bash script, and can run it no problem from the cli.

Here's the Bash script:

#!/bin/bash

FILTER=$1
STARTTIME=$2
RANDER=$3

FILENUM=0

for FILES in `ls /dailylogs/$STARTTIME/snort*`
do
  ((FILENUM++))
  tcpdump -r $FILES "\'"$FILTER"\'" -w /pcap/tmp-$FILENUM
done

mergecap -w /pcap/mergedcap-$RANDER.pcap /pcap/tmp-*
rm -f /pcap/tmp-*

The php I have that calls the script is here:

$script = "mergecaps.sh";

$filter = "((src $sip) and (dst $dip))";


$randnum = rand();
$cmd = $script . " " . $filter . " " . $st . " " . $randnum;
exec("bash /.scripts/".$cmd, $raw);

I know that the script is actually being executed and the filter data is correct because I had placed the following in the bash script:

touch /pcap/random.txt
echo $FILTER >> /pcap/random.txt
echo $STARTTIME >> /pcap/random.txt
echo $RANDER >> /pcap/random.txt

With that the script created the random.txt and appended the variables no problem. All the data was correct. Just wont run tcpdump. I've changed the apparmor status for tcpdump from enforce to complain. I've also tried adding sudo infront of tcpdump in the bash script.

Anyone have any ideas on what else I can do?

Any suggestions is much appreciated! :)

Clownbaby
  • 1
  • 1
  • Try removing command substitution with `ls` and use globbing - `/dailylogs/STARTTIME/snort*`. Instead of `-w` in your tcpdump command use `>` redirection to the new file. – John B Jul 17 '14 at 23:46
  • Not using `-w` will cause tcpdump to write a textual dissection of the packets, rather than a pcap capture file. That's not what's wanted here, as per "run tcpdump to go through all my pcap logs and create *new pcaps* of the filtered packets." –  Jul 18 '14 at 00:04
  • tcpdump *shouldn't* require root privileges to read a file and write another file. –  Jul 18 '14 at 00:05
  • Does "won't run tcpdump" mean that you get a shell error complaining that it can't find tcpdump, or an error somewhere else? –  Jul 18 '14 at 00:07
  • Nope, no errors anywhere. I'm really confused by this. I'm pretty sure it's not an issue with permissions because I can run the script directly from the cli as a non-root and non-owner user no problem. It's just when I hit it with the uri: domain/index.php?sip=x.x.x.x&dip=x.x.x.x&st=2014-07-17 it'll run the script and show the right filter in random.txt but just wont run tcpdump. – Clownbaby Jul 18 '14 at 02:13

1 Answers1

0

Found the answer, it was a permissions issue. Pretty simple, I just added

www-data ALL= NOPASSWORD: /bin/bash *, /usr/sbin/tcpdump *, /usr/bin/mergecap *

to /etc/sudoers and it worked fine. Forgot I had done that before on the user I was testing the script with. (still a bit new to linux).

Clownbaby
  • 1
  • 1