Re: Physical configuration question

[Bamm Visscher <bamm () satx rr com>]

I use big disks and filters for my binary logging. On most of the networks I monitor, a simple rule to filter outbound 
web traffic is enough to bring the data down to more manageable levels.

snort/tcpdump not \( src net 192.168.1.0/24 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 
192.168.1.0/24 and "tcp[2:2] > 1024"\)

Bammkkkk

On Wed, Feb 12, 2003 at 07:45:08AM -0800, Sammy wrote:
> I have a question regarding configuration and how to deal with the large amounts of data I have Snort capturing.  
> Right now I have 4 sensors, each with two instances of Snort running.  One instance is running in alert mode while 
> the other instance is capturing all packet data in tcpdump format.  I've already upgraded the disks in all my sensors 
> as I'm getting close to 20GB an hour on some of them.  How are people dealing with the massive data collected?  Are 
> you using huge disk arrays?  Archiving to tape?  Any suggestions are appreciated.  Thanks in advance!


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users