[Snort-users] Stream/Packet Capture with Snort

Paul Melson psmelson at ...5068...
Tue May 10 06:59:45 EDT 2005


Right now I'm logging alerts directly from Snort to MySQL.  The MySQL
database is on another box with more than enough resources to handle what
I'm considering throwing at it.  So are you saying that the performance of
the Snort sensor itself is going to suffer, and if so, in what way(s)?

Anyway, I had considered using tcpdump to log the e-mail traffic I am
interested in, but my Snort deployment is connected back to a larger ISM
system that can query the MySQL database for packet payload.  It's worth the
disk and memory costs to have that information available to me through the
ISM.  If I can't get Snort to do it, then I might use tcpdump or ngrep for
one-off work, but I'd like to have this capability available within my
current framework just by changing snort.conf and restarting the sensor.

PaulM

-----Original Message-----
Subject: Re: [Snort-users] Stream/Packet Capture with Snort

Paul Melson wrote:
> 
> I'm using one of my Snort sensors (v2.3.2 w/ flexresp) to monitor, 
> among other things, outbound e-mail traffic.  Right now I am logging 
> to a MySQL database and can view the offending packet data on a 
> per-alert basis.  In the case of e-mail traffic, packet captures of 
> lengthy messages (say those with MIME attachments) don't always include
the message headers.
> 

Hello Paul,

Have you considered just logging port 25 TCP traffic with Tcpdump? 
Putting packets in a database (especially lots of packets) is a bad idea,
IMHO, despite that fact that plenty of vendors do it.  Leaving traffic in
pcap format gives you more options to process whatever you collect.

On a related note, since you mentioned database logging -- are you using
Barnyard or another Snort output spool reader, or are you asking Snort to
make MySQL inserts?  Not using Barnyard or an equivalent is a real
performance killer.





More information about the Snort-users mailing list