Snort mailing list archives
RE: Data archiving
From: "Gordon Cunningham" <gcunnin2 () bellsouth net>
Date: Wed, 19 Mar 2003 17:29:36 -0500
I work for a very large corporation and we have data retention policies that limit the type and age of the data that is retained for most purposes, including network security and systems administration. We do not store packet payloads beyond the corporate guidelines, but the alert data may be stored for up to 6 months before we purge it, depending on the database size. Chances are we will also set up some summarization capability to have historical and trending info for future analysis, but the actual data will be purged after summarization. And in global corporations like mine, capturing packet payloads can also be against privacy laws in many countries, so you are treading on several controversial and possibly legal areas here. In reality, keeping ten years' worth of data from a sniffer on a highly-utilized network segment would be impractical at best and near impossible at worst (you can't burn CD's fast enough!). My recommendation is to keep the info long enough for it to be useful. My general feeling is that 1year is longer than necessary, but it could be argued that 1 year is a typical business cycle for retention purposes. I think 2-3 months is good if you update your systems quickly as vulnerabilities are discovered/fixed, 4-6 if you need quarterly reports, etc. - Gordon -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bob McDowell Sent: Wednesday, March 19, 2003 4:33 PM To: 'Sammy'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Data archiving I'd like to know as well, please everyone pitch in on this. Obviously, the impulse answer is going to be 'it depends on your organization', but can we all please be more forthcoming than that? I think it would be beneficial to know what your peers are doing with this data. For example, if the issue were raised, and someone was the only admin in the field not keeping ten years' worth of data it could well cost them their job... -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Sammy Sent: Wednesday, March 19, 2003 2:53 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Data archiving I'd like to get an idea of what people are doing regarding archiving their snort data. How long do you keep data online and then what are you doing with it? Are people archiving to tape w/ encryption? Also, if anyone is using Snort for capturing all packet traffic, how do you deal with the tremendous amount of traffic generated? I'd like to set up my system so that I can go back as far as possible to look through both alerts as well as all packet data but I'm finding it really hard to deal with the large amounts of data (one of my switches has about 20GB/hour running through it). In the event of a break-in, since I wouldn't know how long the system has been compromised, I need to go back as far as possible. Any advise/assistance is greatly appreciated! Thanks. Sammy _____ Do you Yahoo!? Yahoo! Platinum <http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.htm l> - Watch CBS' NCAA March Madness, live on your desktop <http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.htm l> !
Current thread:
- Data archiving Sammy (Mar 19)
- Re: Data archiving Erek Adams (Mar 19)
- <Possible follow-ups>
- RE: Data archiving Bob McDowell (Mar 19)
- RE: Data archiving Gordon Cunningham (Mar 19)
- Re: Data archiving Erick Mechler (Mar 21)