[Snort-users] BandWidth question

Matt Kettler mkettler at ...4108...
Tue Aug 9 15:46:15 EDT 2005


Sabbiolina wrote:
> Hello there,
> I need to analyze all e-mail traffic looking for specific
> words/sentences and dump to disk all messages matching those criteria.
> On an average P4 3.2 mhz what is the ipotetic bandwidth limit (in
> megabits)?

Snort is NOT a good tool for this kind of thing, so bandwidth is irrelevant.

Snort would only be able to log to disk a small fraction of the message that
matched. Namely, the chunk of the datastream from stream4 that matched. We're
talking 1.5k bytes at most.

Snort is a NIDS, which is a Network Intrusion Detection System. At a very
fundamental level, snort operates on network packets.

Snort does not operate on email messages, webpages, files, or anything else,
except to the extent that parts of them exist in the packets snort observes.
Snort does not strip things out into their "larger parts" and analyze them, so
it has no concept of where an email message begins and ends. Snort sees a series
of packets and knows they are a part of the same datastream, and they go one
after the other.

Stream4 assists snort in re-assembling datastreams across packets, but it
doesn't buffer very much, as it's only intended to assemble tiny packets
together into lumps of a few hundred bytes at a time. If a packet is "decent
sized" (more than a few hundred bytes) AFAIK stream4 doesn't buffer it.


Aside from Stream4, snort retains no memory of the contents of packets that have
already come by. By the time you detect a "content" in a message, all the
packets that began the message are already forgotten by snort.







More information about the Snort-users mailing list