Snort mailing list archives
Re: How to use the packet logger and NID mode at the same time
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 19 Nov 2001 22:28:33 -0800 (PST)
On Mon, 19 Nov 2001, Didier CONTIS wrote:
I am trying to find out if it would be possible using one instance of snort, to simultaneouly record all the traffic in one location and perform the regular NIDS analysis with alerts being logged in a different location (or sent to a database).
Yep. Very doable.
The idea behind dumping all the traffic is for us to record one or two days of traffic for post-mortem analysis.
Easily done.
Has anyone tried something like that before ?
Nope. Never did it. Never admit it. ;-) It's all a figment of our imaginations. Serious Answer: You're talking about "post processing". Works the same basic way that SHADOW does. Reocord the data, then pass the data files off to another process for processing after the fact. Common, and done every day. You can check the mail archives (instructions at the bottom of each snort-users email...) for more info. Hope this helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules changes 1.8.1 -> 1.8.2 Joshua Thomas (Nov 19)
- Re: Rules changes 1.8.1 -> 1.8.2 Martin Roesch (Nov 19)
- How to use the packet logger and NID mode at the same time Didier CONTIS (Nov 19)
- Re: How to use the packet logger and NID mode at the same time Erek Adams (Nov 19)
- How to use the packet logger and NID mode at the same time Didier CONTIS (Nov 19)
- Re: Rules changes 1.8.1 -> 1.8.2 Martin Roesch (Nov 19)