[Snort-users] How to use the packet logger and NID mode at the same time
erek at ...577...
Mon Nov 19 22:30:02 EST 2001
On Mon, 19 Nov 2001, Didier CONTIS wrote:
> I am trying to find out if it would be possible using one instance of snort,
> to simultaneouly record all the traffic in one location and perform the
> regular NIDS analysis with alerts being logged in a different location
> (or sent to a database).
Yep. Very doable.
> The idea behind dumping all the traffic is for us to record one or two days
> of traffic for post-mortem analysis.
> Has anyone tried something like that before ?
Nope. Never did it. Never admit it. ;-) It's all a figment of our
Serious Answer: You're talking about "post processing". Works the same basic
way that SHADOW does. Reocord the data, then pass the data files off to
another process for processing after the fact. Common, and done every day.
You can check the mail archives (instructions at the bottom of each
snort-users email...) for more info.
Hope this helps!
More information about the Snort-users