RE: Data archiving

["Bob McDowell" <bmcdowell () coxhealthplans com>]

I'd like to know as well, please everyone pitch in on this.  Obviously, the
impulse answer is going to be 'it depends on your organization', but can we
all please be more forthcoming than that?  I think it would be beneficial to
know what your peers are doing with this data.  For example, if the issue
were raised, and someone was the only admin in the field not keeping ten
years' worth of data it could well cost them their job...

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Sammy
Sent: Wednesday, March 19, 2003 2:53 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Data archiving



I'd like to get an idea of what people are doing regarding archiving their
snort data.  How long do you keep data online and then what are you doing
with it?  Are people archiving to tape w/ encryption?  Also, if anyone is
using Snort for capturing all packet traffic, how do you deal with the
tremendous amount of traffic generated?  I'd like to set up my system so
that I can go back as far as possible to look through both alerts as well as
all packet data but I'm finding it really hard to deal with the large
amounts of data (one of my switches has about 20GB/hour running through it).
In the event of a break-in, since I wouldn't know how long the system has
been compromised, I need to go back as far as possible.  Any
advise/assistance is greatly appreciated!  Thanks.

Sammy




  _____

Do you Yahoo!?
Yahoo!
<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.htm
l> Platinum - Watch CBS' NCAA March Madness, live
<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.htm
l> on your desktop!