Snort mailing list archives

Re: >2Gb capture files

From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 06 Jul 2001 14:45:47 -0400

Ding ding ding!!!  Give that man a cigar.

    -Marty

"Clausing, James A (Jim), SOBUS" wrote:


        Am I missing something?  More than one snort process can listen on a
given interface, so start the new one first, then kill the old one.  There
should be an overlap of a few seconds, but nothing will be lost.

---Jim

-----Original Message-----
From: Shriman Gurung [mailto:sg () dataconnection com]
Sent: Friday, July 06, 2001 9:43 AM
To: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] >2Gb capture files

It seems to me that even if your system supported 2Gb+ files,
you would not want to use them.  I find that managing big files
with the standard tools (tcpdump etc) takes ages and often crashes
things.

People have suggested regular snort restarts, which by and large
I agree with, but you might have a really _really_ high traffic site
in which case this might not be practical.  Back of envelope
calculation: say you have a (let's pick a number) 48Mbit/s worth of
evil traffic, ie 6Mb/s then you are filling up 2Gb every five minutes.
Who wants to restart Snort every five minutes?.

In this scenario, if snort takes three seconds to restart you
potentially lose 18Mb of traffic, which sounds real bad to me.  If
you are concerned about losing info whilst snort is restarting, you
could set up two instances of snort on separate machines configured
to restart at different times.  For example A restarts snort at t,
t+5, t+10,.. and B at t+2, t+7, t+12,...

Alternatively, I guess you could set up a collection of machines
running snort (snorters?) and configure each to log a particular
type of traffic, the aim being to reduce the amount of traffic that
each one logged.  The downside of that is complexity.

shriman

sg () datcon co uk
--speaking for myself not my employer--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: >2Gb capture files Shriman Gurung (Jul 06)
- Re: >2Gb capture files Chris Green (Jul 06)
  - Re: >2Gb capture files Ryan Russell (Jul 06)
- <Possible follow-ups>
- RE: >2Gb capture files Clausing, James A (Jim), SOBUS (Jul 06)
  - Re: >2Gb capture files Martin Roesch (Jul 06)
- RE: >2Gb capture files Mayers, Philip J (Jul 07)
- RE: >2Gb capture files Shriman Gurung (Jul 07)