RE: Catchall Rule

["John Cherbini" <cherbini () dakotacom net>]

> log ip any any -> $HOME_NET any;
>
> But traffic isn't always ip traffic....
>
> log icmp any any -> $HOME_NET any;
> log arp any any -> $HOME_NET any;

Arp....har.....

> From what I'm getting, you want to snarf all the frames on 
> the wire, then shove that into a DB.  If you do, be _sure_ to 
> have acres of disk, and one helluva machine for the DB.  You 
> might get better performance using Barnyard to spool the 
> files.  If realtime isn't an issue, you might be better off 
> with tcpdump and then using Snort to post process.

Basically, this is what is happening.  Realtime is not an issue right
now.  We have the MIT dataset, (binary tcpdump format) and just want to
do some work with it.  So first, we just ran snort on it regularly, and
then we wanted all the tcp, udp and icmp traffic.  The log file is 300+
MB......SOOOoooOOO......I let it run over night, and in the iphdr field,
there 1.2+ million records.  Total records across all the tables are....

5793246

And MySQL front app says that the total size of all tables is:

962719KB  (not sure if I really believe that one)

So anyway, it appears to have worked.

Thanks for the info everyone!!

John C.



> Cheers!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users