Snort mailing list archives
RE: BandWidth question
From: "Bob Konigsberg" <bobkberg () networkeval com>
Date: Tue, 9 Aug 2005 16:13:59 -0700
As Matt already pointed out, Snort is not a good tool for this. Personally, I'd recommend a periodically changing tcpdump capture file (hourly for example), followed by a script written in PERL (or possibly AWK) to format, extract, and identify the information you're looking for. The only fly in the ointment would be encrypted emails. (In actuality, I'd wonder why you're bothering - but that's not my problem - I'm just addressing your query) Depending on your space requirements, you could either write the tcpdump file in binary (to save space) and parse it that way (more difficult), or just have tcpdump read the binary file, and pipe the output to your script. Then delete the capture files when you're done with them - or - if you have a need to keep a certain amount of archive, then use a shell script to keep track of what's been written, read, and kept for the right period of time before deleting. Unless you're looking for something horribly difficult, this approach should work fine. Bob -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Sabbiolina Sent: Tuesday, August 09, 2005 2:54 PM To: snort-users () lists sourceforge net Subject: [Snort-users] BandWidth question Hello there, I need to analyze all e-mail traffic looking for specific words/sentences and dump to disk all messages matching those criteria. On an average P4 3.2 mhz what is the ipotetic bandwidth limit (in megabits)? Tnx Sabbiolina ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BandWidth question Sabbiolina (Aug 09)
- Re: BandWidth question Matt Kettler (Aug 09)
- Re: BandWidth question Alex Butcher, ISC/ISYS (Aug 10)
- RE: BandWidth question Bob Konigsberg (Aug 09)
- Re: BandWidth question Chris Lyon (Aug 09)
- <Possible follow-ups>
- RE: BandWidth question Willy, Andrew (Aug 09)
- Re: BandWidth question Matt Kettler (Aug 09)