Snort mailing list archives
Re: Best practice for Snort with pcap file?
From: Russ via Snort-users <snort-users () lists snort org>
Date: Fri, 16 Jun 2017 20:38:36 -0400
Hi. Neither is better, it just depends on your goals. Use packet captures for testing, debugging, analysis, etc. Use network interfaces to protect your network. Either way you can use multiple processing threads by providing multiple sources (pcaps or interfaces). We will eventually support internal load balancing but for now that must be done externally. And yes, high speed packet captures will quickly fill up your disk. :)
Check the manual (or the DAQ tarball README) for packet acquisition options. The various Snort 2.X documents also have helpful information for DAQ configurations. And check back here if you get stuck.
Good luck. Russ On 6/16/17 5:52 PM, Nishant Bhat via Snort-users wrote:
(Noob question) I'm setting up Snort 3, and the manual shows both how to set up Snort to listen to live traffic on a network interface, and how to have Snort inspect a packet capture file. I'm wondering which of these configurations is a better practice? I see more examples of the pcap-inspection setup, so I'm assuming this is what tends to get used. It also seems like this is the only way to take advantage of Snort 3's multithreading.In this case, do people usually set up a separate instance of tcpdump to capture packets? If so, how do you avoid having the pcap file use all your disk space? Thanks in advance!_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Best practice for Snort with pcap file? Nishant Bhat via Snort-users (Jun 16)
- Re: Best practice for Snort with pcap file? Russ via Snort-users (Jun 16)