Snort mailing list archives
Re: Traffic storage/analysis
From: Bob Hillegas <bobhillegas () houston rr com>
Date: Tue, 9 Jul 2002 07:54:37 -0500 (CDT)
I captured all packets for some time. I used to use ppp and therefore had good cutoff points when the interface went down. I used the following in my snort.conf file: ruletype bulk { type log output log_tcpdump: bulk.log } bulk ip any any -> any any (msg:"Capture all ip packets") In that setup, I dumped snort and ipchains stats to syslog and compared the number of packets captured to the number of packets reported by ipchains. They matched. BUT, you will find some discrepancies in Snort's stats. The summary total number of packets is inflated by the number of fragments (or thereabouts, details have faded; I now have moved to a cable modem and have stopped capturing all packets). Issues to conquer: 1) w/o a patch, snort timestamps it's files with day and hour, problem when you create file2 during same hour. I got around it by renaming file. 2) Make sure you don't use -z est. It does limit the number of packets it captures. Have fun, BobH -- ---------------------------------- Bob Hillegas bobhillegas () houston rr com On Mon, 8 Jul 2002 David LaPorte <dave () laportestyle org> wrote: > Date: Mon, 8 Jul 2002 21:45:42 -0400 > From: David LaPorte <dave () laportestyle org> > To: snort-users () lists sourceforge net > Subject: [Snort-users] Traffic storage/analysis > > Hello, > > I recently picked up a cheap 100GB drive and am looking to capture traffic > across my DSL link (all of it - I figure I can keep a month or so) for > forensic analysis. I'd like to use Snort, as well as tcpdump, ethereal, etc. > to look at the data after the fact. The primary goal is to see IP in the > wild - ID is part of that, but not the only goal. > > I'm assuming I should store in tcpdump format since it is most widely > supported. What should I use to capture and where should I put it - is > tcpdump to a flat file the best way to go? > > My priority is fast random access to the collected data (any sort of RAID is > not an option - I have only one drive). I could write out a new file every > hour to minimize the size, but what if an event crosses an hour threshold? Is > anyone doing something similar? > > Sorry this is a little off-topic, but I figured someone out there must be > logging all their traffic. > > thanks, > Dave LaPorte > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Stuff, things, and much much more. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Traffic storage/analysis David LaPorte (Jul 08)
- <Possible follow-ups>
- Re: Traffic storage/analysis Bob Hillegas (Jul 09)