Re: Stream/Packet Capture with Snort

[Richard Bejtlich <taosecurity () gmail com>]

Paul Melson wrote:
> I'm using one of my Snort sensors (v2.3.2 w/ flexresp) to monitor, among
> other things, outbound e-mail traffic.  Right now I am logging to a MySQL
> database and can view the offending packet data on a per-alert basis.  In
> the case of e-mail traffic, packet captures of lengthy messages (say those
> with MIME attachments) don't always include the message headers.

Hello Paul,

Have you considered just logging port 25 TCP traffic with Tcpdump?=20
Putting packets in a database (especially lots of packets) is a bad
idea, IMHO, despite that fact that plenty of vendors do it.  Leaving
traffic in pcap format gives you more options to process whatever you
collect.

On a related note, since you mentioned database logging -- are you
using Barnyard or another Snort output spool reader, or are you asking
Snort to make MySQL inserts?  Not using Barnyard or an equivalent is a
real performance killer.

Sincerely,

Richard
http://www.taosecurity.com


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users