Snort mailing list archives

Re: BandWidth question

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 09 Aug 2005 18:43:54 -0400

Sabbiolina wrote:

Hello there,
I need to analyze all e-mail traffic looking for specific
words/sentences and dump to disk all messages matching those criteria.
On an average P4 3.2 mhz what is the ipotetic bandwidth limit (in
megabits)?


Snort is NOT a good tool for this kind of thing, so bandwidth is irrelevant.

Snort would only be able to log to disk a small fraction of the message that
matched. Namely, the chunk of the datastream from stream4 that matched. We're
talking 1.5k bytes at most.

Snort is a NIDS, which is a Network Intrusion Detection System. At a very
fundamental level, snort operates on network packets.

Snort does not operate on email messages, webpages, files, or anything else,
except to the extent that parts of them exist in the packets snort observes.
Snort does not strip things out into their "larger parts" and analyze them, so
it has no concept of where an email message begins and ends. Snort sees a series
of packets and knows they are a part of the same datastream, and they go one
after the other.

Stream4 assists snort in re-assembling datastreams across packets, but it
doesn't buffer very much, as it's only intended to assemble tiny packets
together into lumps of a few hundred bytes at a time. If a packet is "decent
sized" (more than a few hundred bytes) AFAIK stream4 doesn't buffer it.


Aside from Stream4, snort retains no memory of the contents of packets that have
already come by. By the time you detect a "content" in a message, all the
packets that began the message are already forgotten by snort.





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BandWidth question Sabbiolina (Aug 09)
- Re: BandWidth question Matt Kettler (Aug 09)
  - Re: BandWidth question Alex Butcher, ISC/ISYS (Aug 10)
- RE: BandWidth question Bob Konigsberg (Aug 09)
- Re: BandWidth question Chris Lyon (Aug 09)
- <Possible follow-ups>
- RE: BandWidth question Willy, Andrew (Aug 09)