Snort mailing list archives

Re: (no subject)

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 08 Oct 2002 14:07:56 -0400

Hmm, most people don't log packet bodies for privacy reasons. That datacould contain unencrypted passwords, personal data, etc, so storing it isgenerally more of a liability than most network admins are willing toaccept, since storing it increases chances of accidental disclosure. Whilemost of this information isn't terribly sensitive (since it wasn'tencrypted) the collective lump of it is a treasure trove.

This kind of collection is also might be illegal in the UK due to RIPA andDPA restrictions there, so be doubly cautious there. IANAL, but I'drecommend checking into it just to CYA. :)

as far as the quantity of data goes, I'd suggest using snort realtime, andmaybe doing a supplemental storage of all packet headers only using tcpdumpwith daily rotations. If something crops up in snort, you can look at thetcpdump logs for additional information. Clearly your network has way toomuch data traffic to try to log it all, regardless of privacy or legalityconsiderations.





At 02:57 PM 10/8/2002 +0000, counterping () uk2 net wrote:

This Not strictly a SNORT Question so I aplogize in advance.

Newbie to the World of TCPDUMP.

I am running Snort IDS and as a complimating product ....
I have recently been interested in also logging ALL traffic that comes in/out
my network via TCPDUMP (ip headers atleast).

This is really for the purpose of Forensics etc etc and would be cool tozip up

and store away.

In the future I would also like to install SHADOW at some point to run these
dumps for anomilies.

However, the amount of data is silly !! 200 MB per HOUR !! This is far toomuch

data to log and store away ?

My question being ....
Does anyone log ALL IP Headers IN+OUT of there Networks ?
Should we be doing this ? Is it a good idea to take this approach ?
Any ideas suggestions would be appreciated.

Little Confused
Matt Y P.

P.S anyone know of any TCPDUMP mailing lists ?




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Abimbola Abiola (Oct 08)
- <Possible follow-ups>
- (no subject) counterping (Oct 08)
  - Re: (no subject) Matt Kettler (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- (no subject) Adrienne Kotze (Oct 10)
- (no subject) Nathan Whitehouse (Oct 14)
  - Re: (no subject) hackerwacker (Oct 14)
  - Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)

(Thread continues...)