Snort mailing list archives
Traffic storage/analysis
From: David LaPorte <dave () laportestyle org>
Date: Mon, 8 Jul 2002 21:45:42 -0400
Hello, I recently picked up a cheap 100GB drive and am looking to capture traffic across my DSL link (all of it - I figure I can keep a month or so) for forensic analysis. I'd like to use Snort, as well as tcpdump, ethereal, etc. to look at the data after the fact. The primary goal is to see IP in the wild - ID is part of that, but not the only goal. I'm assuming I should store in tcpdump format since it is most widely supported. What should I use to capture and where should I put it - is tcpdump to a flat file the best way to go? My priority is fast random access to the collected data (any sort of RAID is not an option - I have only one drive). I could write out a new file every hour to minimize the size, but what if an event crosses an hour threshold? Is anyone doing something similar? Sorry this is a little off-topic, but I figured someone out there must be logging all their traffic. thanks, Dave LaPorte -- David LaPorte dave () laportestyle org ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Oh, it's good to be a geek. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Traffic storage/analysis David LaPorte (Jul 08)
- <Possible follow-ups>
- Re: Traffic storage/analysis Bob Hillegas (Jul 09)