[Snort-users] Traffic storage/analysis

David LaPorte dave at ...6260...
Mon Jul 8 18:46:05 EDT 2002


I recently picked up a cheap 100GB drive and am looking to capture traffic 
across my DSL link (all of it - I figure I can keep a month or so) for 
forensic analysis.  I'd like to use Snort, as well as tcpdump, ethereal, etc. 
to look at the data after the fact.  The primary goal is to see IP in the 
wild - ID is part of that, but not the only goal.

I'm assuming I should store in tcpdump format since it is most widely 
supported.  What should I use to capture and where should I put it - is 
tcpdump to a flat file the best way to go?

My priority is fast random access to the collected data (any sort of RAID is 
not an option - I have only one drive).  I could write out a new file every 
hour to minimize the size, but what if an event crosses an hour threshold?  Is 
anyone doing something similar?  

Sorry this is a little off-topic, but I figured someone out there must be 
logging all their traffic.

Dave LaPorte

David LaPorte
dave at ...6260...

This mail sent through IMP: http://horde.org/imp/

More information about the Snort-users mailing list