Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Stream/Packet Capture with Snort

From: "Paul Melson" <psmelson () comcast net>
Date: Tue, 10 May 2005 09:57:16 -0400
Right now I'm logging alerts directly from Snort to MySQL.  The MySQL
database is on another box with more than enough resources to handle what
I'm considering throwing at it.  So are you saying that the performance of
the Snort sensor itself is going to suffer, and if so, in what way(s)?

Anyway, I had considered using tcpdump to log the e-mail traffic I am
interested in, but my Snort deployment is connected back to a larger ISM
system that can query the MySQL database for packet payload.  It's worth the
disk and memory costs to have that information available to me through the
ISM.  If I can't get Snort to do it, then I might use tcpdump or ngrep for
one-off work, but I'd like to have this capability available within my
current framework just by changing snort.conf and restarting the sensor.

PaulM

-----Original Message-----
Subject: Re: [Snort-users] Stream/Packet Capture with Snort

Paul Melson wrote:


I'm using one of my Snort sensors (v2.3.2 w/ flexresp) to monitor, 
among other things, outbound e-mail traffic.  Right now I am logging 
to a MySQL database and can view the offending packet data on a 
per-alert basis.  In the case of e-mail traffic, packet captures of 
lengthy messages (say those with MIME attachments) don't always include

the message headers.




Hello Paul,

Have you considered just logging port 25 TCP traffic with Tcpdump? 
Putting packets in a database (especially lots of packets) is a bad idea,
IMHO, despite that fact that plenty of vendors do it.  Leaving traffic in
pcap format gives you more options to process whatever you collect.

On a related note, since you mentioned database logging -- are you using
Barnyard or another Snort output spool reader, or are you asking Snort to
make MySQL inserts?  Not using Barnyard or an equivalent is a real
performance killer.



-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: