Snort mailing list archives
Re: -b binary capture
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 28 Sep 2001 10:11:13 -0700 (PDT)
On Fri, 28 Sep 2001, Greg Sarsons wrote:
I see that snort by default with binary dump captures 1514. Well this is just to much for my little 30 Gig hard drive on a busy school network. I'm going to do some analysis with snort after but will also be using tcptrace, ipfw and a few others. If I grab 10%, say 150 vice 1514, will I really be limiting what I can do after? Doesn't tcpdump by default grab 68.
You limit youself because if you don't get the full packet payload. That can be the difference between a false postive and an actual attack. And yes, tcpdump does grab 68. Just headers, no payload.
The traffic bw from what I know on the network has peaked at about 20Mb/sec but the average seems to be 11Mb/sec. If I plug into another smaller subnet the traffic bw could drop even more.
Sounds about average for what you are describing.
Again this has got to fit on a 30Gig drive. The more days that I can capture the better for the statistics. Filling the hard drive in only one day doesn't really give a nice look.
Ug... I'm assuming you're using IDE?
Any recommendations?
Other that drop a $100 and get another drive? :-) You might consider dumping the data off to another box for post processing every so often. You're in kinda a tough spot... Sorry I can't be of more help. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- -b binary capture Greg Sarsons (Sep 28)
- Re: -b binary capture Erek Adams (Sep 28)