[Snort-users] logging/alerting for analysis

Wes Bateman wbateman at ...387...
Tue Jan 2 18:26:57 EST 2001


Hello, sorry this might be a dumb question from a first-time poster,
but... :)

I've been seeing analysis websites like projects.honeypot.org that have
all these great captures to analyze.  I'm finding that in my own setup I
alert on packets that match signatures, and I have the packetdumps for
those.  These other sites have full, pretty 3 way handshakes and the
like.  Anybody have recommendations, comments, whatever on how to manage
monitoring many hosts, capturing as close to possible as streams related
to signatures, yet not having to store every packet that crosses the wire?

I'm thinking this is a pipe dream.  Right?  I guess these sites are
capturing ALL traffic to/from honeypot-type hosts.  It's really cool to be
able to fully analyze both sides of the connections like that.  That's
lacking in the way I'm doing it now, only alerting on packets that match
my ruleset (primary vision).

Thanks for any ideas/input/flames/whatever :)

Wes





More information about the Snort-users mailing list