[Snort-users] How to use the packet logger and NID mode at the same time

Erek Adams erek at ...577...
Mon Nov 19 22:30:02 EST 2001


On Mon, 19 Nov 2001, Didier CONTIS wrote:

> I am trying to find out if it would be possible using one instance of snort,
> to simultaneouly record all the traffic in one location and perform the
> regular NIDS  analysis with alerts being logged in a different location
> (or sent to a database).

Yep.  Very doable.

> The idea behind dumping all the traffic is for us to record one or two days
> of traffic for post-mortem analysis.

Easily done.

> Has anyone tried something like that before ?

Nope.  Never did it.  Never admit it.  ;-)  It's all a figment of our
imaginations.


Serious Answer:  You're talking about "post processing".  Works the same basic
way that SHADOW does.  Reocord the data, then pass the data files off to
another process for processing after the fact.  Common, and done every day.

You can check the mail archives (instructions at the bottom of each
snort-users email...) for more info.

Hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list