RE: Data archiving

["Gordon Cunningham" <gcunnin2 () bellsouth net>]

I work for a very large corporation and we have data retention policies that
limit the type and age of the data that is retained for most purposes,
including network security and systems administration.  We do not store
packet payloads beyond the corporate guidelines, but the alert data may be
stored for up to 6 months before we purge it, depending on the database
size.  Chances are we will also set up some summarization capability to have
historical and trending info for future analysis, but the actual data will
be purged after summarization.  And in global corporations like mine,
capturing packet payloads can also be against privacy laws in many
countries, so you are treading on several controversial and possibly legal
areas here.

In reality, keeping ten years' worth of data from a sniffer on a
highly-utilized network segment would be impractical at best and near
impossible at worst (you can't burn CD's fast enough!).

My recommendation is to keep the info long enough for it to be useful.  My
general feeling is that 1year is longer than necessary, but it could be
argued that 1 year is a typical business cycle for retention purposes.  I
think 2-3 months is good if you update your systems quickly as
vulnerabilities are discovered/fixed, 4-6 if you need quarterly reports,
etc.

- Gordon

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bob McDowell
Sent: Wednesday, March 19, 2003 4:33 PM
To: 'Sammy'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Data archiving

I'd like to know as well, please everyone pitch in on this.  Obviously, the
impulse answer is going to be 'it depends on your organization', but can we
all please be more forthcoming than that?  I think it would be beneficial to
know what your peers are doing with this data.  For example, if the issue
were raised, and someone was the only admin in the field not keeping ten
years' worth of data it could well cost them their job...
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Sammy
Sent: Wednesday, March 19, 2003 2:53 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Data archiving
I'd like to get an idea of what people are doing regarding archiving their
snort data.  How long do you keep data online and then what are you doing
with it?  Are people archiving to tape w/ encryption?  Also, if anyone is
using Snort for capturing all packet traffic, how do you deal with the
tremendous amount of traffic generated?  I'd like to set up my system so
that I can go back as far as possible to look through both alerts as well as
all packet data but I'm finding it really hard to deal with the large
amounts of data (one of my switches has about 20GB/hour running through it).
In the event of a break-in, since I wouldn't know how long the system has
been compromised, I need to go back as far as possible.  Any
advise/assistance is greatly appreciated!  Thanks.
Sammy

  _____

Do you Yahoo!?
Yahoo! Platinum
<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.htm
l>  - Watch CBS' NCAA March Madness, live on your desktop
<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.htm
l> !