[Snort-users] Log everything for billing purposes

Matt Kettler mkettler at ...7367...
Thu Apr 3 18:21:24 EST 2003

Since you really want bandwidth accounting, not packet logging, I'd suggest 
using tools designed for accounting, not IDS's.

Using snort this way won't make you happy, as it tends to loose packets 
when it tries to log everything. Even tcpdump would be orders of magnitude 
better as it handles high load better (it doesn't do text searches). But 
let's face it..  that's _really_ silly.

Most other modern kernel-level packet filter tools have very good 
accounting capabilities and even traffic shaping capabilities. Look at 
Linux's IPTables and the BSD's IPF.. they should be able to do what you 
want, and aren't going to have to log every packet that goes by to do it.

At 05:09 PM 4/3/2003 -0800, Ross Davis - DataAnywhere wrote:
>If snort is not a good way to log the traffic, does anyone know of a
>good (and inexpensive) traffic accounting program?

More information about the Snort-users mailing list