[Snort-users] BandWidth question

Bob Konigsberg bobkberg at ...12746...
Tue Aug 9 16:21:44 EDT 2005


As Matt already pointed out, Snort is not a good tool for this.

Personally, I'd recommend a periodically changing tcpdump capture file
(hourly for example), followed by a script written in PERL (or possibly AWK)
to format, extract, and identify the information you're looking for.  The
only fly in the ointment would be encrypted emails.

(In actuality, I'd wonder why you're bothering - but that's not my problem -
I'm just addressing your query)

Depending on your space requirements, you could either write the tcpdump
file in binary (to save space) and parse it that way (more difficult), or
just have tcpdump read the binary file, and pipe the output to your script.
Then delete the capture files when you're done with them - or - if you have
a need to keep a certain amount of archive, then use a shell script to keep
track of what's been written, read, and kept for the right period of time
before deleting.  

Unless you're looking for something horribly difficult, this approach should
work fine.

Bob 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Sabbiolina
Sent: Tuesday, August 09, 2005 2:54 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] BandWidth question

Hello there,
I need to analyze all e-mail traffic looking for specific words/sentences
and dump to disk all messages matching those criteria.
On an average P4 3.2 mhz what is the ipotetic bandwidth limit (in megabits)?


Tnx
Sabbiolina


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
Plan-Driven Development * Managing Projects & Teams * Testing & QA Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users







More information about the Snort-users mailing list