[Snort-users] BandWidth question

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Aug 10 03:34:42 EDT 2005


--On 09 August 2005 18:43 -0400 Matt Kettler <mkettler at ...4108...> wrote:

> Sabbiolina wrote:
>> Hello there,
>> I need to analyze all e-mail traffic looking for specific
>> words/sentences and dump to disk all messages matching those criteria.
>> On an average P4 3.2 mhz what is the ipotetic bandwidth limit (in
>> megabits)?
>
> Snort is NOT a good tool for this kind of thing, so bandwidth is
> irrelevant.
>
> Snort would only be able to log to disk a small fraction of the message
> that matched. Namely, the chunk of the datastream from stream4 that
> matched. We're talking 1.5k bytes at most.

You could use tag:session to get larger chunks.

But to be honest, the OP would be better served getting one of the various 
purpose-built email archival systems that are now available, if the driver 
is some sort of legal/regulatory reason.

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list