Snort mailing list archives
Best practice for Snort with pcap file?
From: Nishant Bhat via Snort-users <snort-users () lists snort org>
Date: Fri, 16 Jun 2017 21:52:27 +0000
(Noob question) I'm setting up Snort 3, and the manual shows both how to set up Snort to listen to live traffic on a network interface, and how to have Snort inspect a packet capture file. I'm wondering which of these configurations is a better practice? I see more examples of the pcap-inspection setup, so I'm assuming this is what tends to get used. It also seems like this is the only way to take advantage of Snort 3's multithreading. In this case, do people usually set up a separate instance of tcpdump to capture packets? If so, how do you avoid having the pcap file use all your disk space? Thanks in advance!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Best practice for Snort with pcap file? Nishant Bhat via Snort-users (Jun 16)
- Re: Best practice for Snort with pcap file? Russ via Snort-users (Jun 16)