[Snort-users] Re: Traffic storage/analysis

Bob Hillegas bobhillegas at ...6262...
Tue Jul 9 05:56:02 EDT 2002


I captured all packets for some time. I used to use ppp and therefore had good 
cutoff points when the interface went down. I used the following in my 
snort.conf file:

ruletype bulk
{
 type log
 output log_tcpdump: bulk.log
}
bulk ip any any -> any any (msg:"Capture all ip packets")

In that setup, I dumped snort and ipchains stats to syslog and compared the
number of packets captured to the number of packets reported by ipchains. They
matched.

BUT, you will find some discrepancies in Snort's stats. The summary total number 
of packets is inflated by the number of fragments (or thereabouts, details have 
faded; I now have moved to a cable modem and have stopped capturing all 
packets).

Issues to conquer:
1) w/o a patch, snort timestamps it's files with day and hour, problem when you 
create file2 during same hour. I got around it by renaming file.
2) Make sure you don't use -z est. It does limit the number of packets it 
captures.


Have fun, BobH
-- 
----------------------------------
Bob Hillegas
bobhillegas at ...6262...

On Mon, 8 Jul 2002 David LaPorte <dave at ...6260...> wrote:

  > Date: Mon,  8 Jul 2002 21:45:42 -0400
  > From: David LaPorte <dave at ...6260...>
  > To: snort-users at lists.sourceforge.net
  > Subject: [Snort-users] Traffic storage/analysis
  > 
  > Hello,
  > 
  > I recently picked up a cheap 100GB drive and am looking to capture traffic 
  > across my DSL link (all of it - I figure I can keep a month or so) for 
  > forensic analysis.  I'd like to use Snort, as well as tcpdump, ethereal, etc. 
  > to look at the data after the fact.  The primary goal is to see IP in the 
  > wild - ID is part of that, but not the only goal.
  > 
  > I'm assuming I should store in tcpdump format since it is most widely 
  > supported.  What should I use to capture and where should I put it - is 
  > tcpdump to a flat file the best way to go?
  > 
  > My priority is fast random access to the collected data (any sort of RAID is 
  > not an option - I have only one drive).  I could write out a new file every 
  > hour to minimize the size, but what if an event crosses an hour threshold?  Is 
  > anyone doing something similar?  
  > 
  > Sorry this is a little off-topic, but I figured someone out there must be 
  > logging all their traffic.
  > 
  > thanks,
  > Dave LaPorte
  > 






More information about the Snort-users mailing list