Snort mailing list archives
Re: >2Gb capture files
From: Chris Green <cmg () uab edu>
Date: 06 Jul 2001 12:50:58 -0500
Shriman Gurung <sg () dataconnection com> writes:
It seems to me that even if your system supported 2Gb+ files, you would not want to use them. I find that managing big files with the standard tools (tcpdump etc) takes ages and often crashes things.
Agreed. For a really bad tool to manage large amounts of data with: ethereal. Great for small bits of analysis and up to maybe 150mb captures ( provided you have a 1gb memory machine ) It uses about 3x the size of the capture ( atleast in default settings w/o DNS )
People have suggested regular snort restarts, which by and large I agree with, but you might have a really _really_ high traffic site in which case this might not be practical. Back of envelope calculation: say you have a (let's pick a number) 48Mbit/s worth of evil traffic, ie 6Mb/s then you are filling up 2Gb every five minutes. Who wants to restart Snort every five minutes?. In this scenario, if snort takes three seconds to restart you potentially lose 18Mb of traffic, which sounds real bad to me. If you are concerned about losing info whilst snort is restarting, you could set up two instances of snort on separate machines configured to restart at different times. For example A restarts snort at t, t+5, t+10,.. and B at t+2, t+7, t+12,...
I think the real key is change snort so that the HUP mode to rotate logs works better than reexecing itself ( essentially a restart ). This is probably a todo for 2.0 but 1.8 is around the corner and this should not be done for it.
Alternatively, I guess you could set up a collection of machines running snort (snorters?) and configure each to log a particular type of traffic, the aim being to reduce the amount of traffic that each one logged. The downside of that is complexity.
Sounds like the netapp split / real secure solution although thats definatly not for periods of time where you're going to have 48mbit of net-cruft to log. -- Chris Green <cmg () uab edu> You now have 14 minutes to reach minimum safe distance. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: >2Gb capture files Shriman Gurung (Jul 06)
- Re: >2Gb capture files Chris Green (Jul 06)
- Re: >2Gb capture files Ryan Russell (Jul 06)
- <Possible follow-ups>
- RE: >2Gb capture files Clausing, James A (Jim), SOBUS (Jul 06)
- Re: >2Gb capture files Martin Roesch (Jul 06)
- RE: >2Gb capture files Mayers, Philip J (Jul 07)
- RE: >2Gb capture files Shriman Gurung (Jul 07)
- Re: >2Gb capture files Chris Green (Jul 06)