On 28 Dec 2004 23:43:17 +0100, Jose Maria Lopez <jkerouac@bgsec.com> wrote:
El dom, 19 de 12 de 2004 a las 16:15, Klemen Mihevc escribiC3:
now i have a problem couse every packet is logged (and logs are huge)
even if it's only about 1k big and it is product of outside scan of
server not actual connection to it. Is there anyway to log only first
and last package from 1 ip and only if data transfer is bigger then
let's say 5k? Or maybe anyother way to log that connections? I also
tryed with chaosreader & tcpdump but this method is too much cpu & ram
consuming and i also tried with iptable but again with same problem
(every package is logged). I relay wanna use snort because i can use
mysql & acid for statistic...
How about using SanCP for the job? The output can easily be imported
to a database and it doesn't log every packet (unless you ask for it).
Another solution is to use Argus, or use stream4's session logging...
I know how you feel, you like snort and are comfortable using it. But
Snort is not a silver bullet - nothing is. You locate and use the best
tool for the job, and it may or may not be something you already know.
I know that I spend a considerable amount of time learning about new
tools and techniques, and yet I've much left to learn (which why I
like InfoSec in the first place - you never get the time to become
bored)....
Best regards
Michael Boman
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
