Re: network audit

[Matt Kettler <mkettler () evi-inc com>]

Someone else already answered, but I'm going to give a more complete one, 
and question why you even want to use snort for this in the first place 
when much better tools for the job exist.

At 10:56 AM 3/11/2003 -0800, you wrote:
> Hi,
>
> I'd like to use snort as a traffic archiver. (100mbit network)
> I have a few questions:
> 1. How do I configure it to archive all the traffic to a database ?

use a snort conf that only has one rule, something like this:
log ip any any -> any any (msg:"pkt"; classtype:misc-activity; sid:1000000; 
rev:1;)

or use tcpdump -w, which was designed to do this kind of thing in the first 
place and will be much lower overhead, faster, and less prone to missing 
packets. It also can log all the traffic, not just IP traffic. The only 
drawback is it won't database the stuff.

> 2. Can I save the full packet to the database ? (including frame headers,
> etc.)

I think the default for "log" and "alert" rules is to send the packet to 
the db specified by "output database: log", but I've never used database 
logging myself.

> 3. How can I log both to a database and a local file ?

probably, see disclaimer from answer to #2.

> Will it have great influence on the performance ?

definitely.

> 4. If I install local MySQL, will it handle the load ?

If the 100mbit network is saturated, or has bursts of saturation, probably 
not. Snort isn't going to be able to sustain logging everything on a 
saturated wire like that. It takes a great deal of effort for snort to 
handle a steady 50mbit/sec load without significant packet loss. Admittedly 
your rules are simpler than the standard set, but you're also logging a lot 
more.


Can I repeat my suggestion of using tcpdump?

> 5. Is there a tool or option through snort in which I can issue sql
> queries to the database ? I want to select, for
>    example, 3 days back all the packets to a libpcap format file, so I
>    can analyze it.

if you want libpcap files, why not just generate libpcap files with tcpdump?

As for queries, snort itself doesn't have such a thing, but there's lots of 
management console tools like acid that might do this.



> thank you very much



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users