Snort mailing list archives
Re: (no subject)
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 08 Oct 2002 14:07:56 -0400
Hmm, most people don't log packet bodies for privacy reasons. That data could contain unencrypted passwords, personal data, etc, so storing it is generally more of a liability than most network admins are willing to accept, since storing it increases chances of accidental disclosure. While most of this information isn't terribly sensitive (since it wasn't encrypted) the collective lump of it is a treasure trove.
This kind of collection is also might be illegal in the UK due to RIPA and DPA restrictions there, so be doubly cautious there. IANAL, but I'd recommend checking into it just to CYA. :)
as far as the quantity of data goes, I'd suggest using snort realtime, and maybe doing a supplemental storage of all packet headers only using tcpdump with daily rotations. If something crops up in snort, you can look at the tcpdump logs for additional information. Clearly your network has way too much data traffic to try to log it all, regardless of privacy or legality considerations.
At 02:57 PM 10/8/2002 +0000, counterping () uk2 net wrote:
This Not strictly a SNORT Question so I aplogize in advance. Newbie to the World of TCPDUMP. I am running Snort IDS and as a complimating product .... I have recently been interested in also logging ALL traffic that comes in/out my network via TCPDUMP (ip headers atleast).This is really for the purpose of Forensics etc etc and would be cool to zip upand store away. In the future I would also like to install SHADOW at some point to run these dumps for anomilies.However, the amount of data is silly !! 200 MB per HOUR !! This is far too muchdata to log and store away ? My question being .... Does anyone log ALL IP Headers IN+OUT of there Networks ? Should we be doing this ? Is it a good idea to take this approach ? Any ideas suggestions would be appreciated. Little Confused Matt Y P. P.S anyone know of any TCPDUMP mailing lists ?
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Abimbola Abiola (Oct 08)
- <Possible follow-ups>
- (no subject) counterping (Oct 08)
- Re: (no subject) Matt Kettler (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- (no subject) Adrienne Kotze (Oct 10)
- (no subject) Nathan Whitehouse (Oct 14)
- Re: (no subject) hackerwacker (Oct 14)
- Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
(Thread continues...)