[Snort-users] [Snort-Users] about capturing packets

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Feb 14 12:17:29 EST 2012


+1.  I also have about 7TB and streamDB does take about a second or so to lookup stream information.  I also have OpenFPC running for full packet captures, and I can't remember the last time I went to those.

I have mine integrated into BASE (see the screenshot), BOTH streamdb and OpenFPC (for multiple locations).  This has made Snort event analysis so much easier and less time consuming.



-----Original Message-----
From: Martin Holste [mailto:mcholste at ...11827...] 
Sent: Tuesday, February 14, 2012 6:58 AM

<snip>

It does all of this in less than one second even on a 10 TB data store, because the flows themselves are indexed by IP and timestamp.

We run full pcap alongside StreamDB and almost never need to go back and wait around to grab pcap.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: packet_cap.JPG
Type: image/jpeg
Size: 63396 bytes
Desc: packet_cap.JPG
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120214/f746b228/attachment.jpe>


More information about the Snort-users mailing list