Snort mailing list archives
RE: Stream/Packet Capture with Snort
From: "Paul Melson" <psmelson () comcast net>
Date: Tue, 10 May 2005 09:57:16 -0400
Right now I'm logging alerts directly from Snort to MySQL. The MySQL database is on another box with more than enough resources to handle what I'm considering throwing at it. So are you saying that the performance of the Snort sensor itself is going to suffer, and if so, in what way(s)? Anyway, I had considered using tcpdump to log the e-mail traffic I am interested in, but my Snort deployment is connected back to a larger ISM system that can query the MySQL database for packet payload. It's worth the disk and memory costs to have that information available to me through the ISM. If I can't get Snort to do it, then I might use tcpdump or ngrep for one-off work, but I'd like to have this capability available within my current framework just by changing snort.conf and restarting the sensor. PaulM -----Original Message----- Subject: Re: [Snort-users] Stream/Packet Capture with Snort Paul Melson wrote:
I'm using one of my Snort sensors (v2.3.2 w/ flexresp) to monitor, among other things, outbound e-mail traffic. Right now I am logging to a MySQL database and can view the offending packet data on a per-alert basis. In the case of e-mail traffic, packet captures of lengthy messages (say those with MIME attachments) don't always include
the message headers.
Hello Paul, Have you considered just logging port 25 TCP traffic with Tcpdump? Putting packets in a database (especially lots of packets) is a bad idea, IMHO, despite that fact that plenty of vendors do it. Leaving traffic in pcap format gives you more options to process whatever you collect. On a related note, since you mentioned database logging -- are you using Barnyard or another Snort output spool reader, or are you asking Snort to make MySQL inserts? Not using Barnyard or an equivalent is a real performance killer. ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Stream/Packet Capture with Snort Paul Melson (May 10)
- <Possible follow-ups>
- Re: Stream/Packet Capture with Snort Richard Bejtlich (May 11)
- Re: Stream/Packet Capture with Snort Richard Bejtlich (May 11)
- Re: Stream/Packet Capture with Snort Richard Bejtlich (May 11)