Snort mailing list archives
Re: Physical configuration question
From: Bamm Visscher <bamm () satx rr com>
Date: Wed, 12 Feb 2003 09:56:12 -0600
I use big disks and filters for my binary logging. On most of the networks I monitor, a simple rule to filter outbound web traffic is enough to bring the data down to more manageable levels. snort/tcpdump not \( src net 192.168.1.0/24 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 192.168.1.0/24 and "tcp[2:2] > 1024"\) Bammkkkk On Wed, Feb 12, 2003 at 07:45:08AM -0800, Sammy wrote:
I have a question regarding configuration and how to deal with the large amounts of data I have Snort capturing. Right now I have 4 sensors, each with two instances of Snort running. One instance is running in alert mode while the other instance is capturing all packet data in tcpdump format. I've already upgraded the disks in all my sensors as I'm getting close to 20GB an hour on some of them. How are people dealing with the massive data collected? Are you using huge disk arrays? Archiving to tape? Any suggestions are appreciated. Thanks in advance!
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Physical configuration question Sammy (Feb 12)
- Re: Physical configuration question Bamm Visscher (Feb 12)