<div class="gmail_quote">On Wed, Mar 3, 2010 at 10:09 AM, Mr. MailingLists <span dir="ltr"><<a href="mailto:mailinglists@soul-dev.com">mailinglists@soul-dev.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On 03/03/10 09:41, Raymond Norton wrote:<br>
><br>
> Mr. MailingLists wrote:<br>
><br>
>> On 03/03/10 08:10, Raymond Norton wrote:<br>
>><br>
>>> I need to set up a box at our pop to sniff inbound and outbound traffic.<br>
>>> I want to set it up as a passive device, or connect to a monitoring port<br>
>>> on our switch, so if the box fails it does not kill our traffic. The<br>
>>> device will need to be able to monitor thousands of connections without<br>
>>> choking. I am pretty sure I would only turn it on when it seemed there<br>
>>> was suspicious traffic at one of our member schools. Any recommendations<br>
>>> of a stable solution with a nice interface??<br>
>>><br>
>>> Raymond<br>
>>><br>
>>><br>
>> YAY a fun question!!!<br>
>><br>
><br>
><br>
><br>
> I used to keep a snort box around for sniffing, but not at this scale.<br>
> Do you think it would be a good solution for my setup, as long as it<br>
> meets the hardware specs?<br>
><br>
><br>
><br>
</div>I absolutely believe so. It was designed to be a IDS for large<br>
infrastructures and as long as you match the specs, plus maybe 20%<br>
better in case of bursts (and have scalability options), I know this<br>
would be a great solution. I wish I was only so lucky to go to a school<br>
where they actively monitored intrusions, as well as possible botnet,<br>
malware, p2p activity. Well, maybe not p2p ;-), too many valid reasons<br>
not to.<br>
<br>
There are so many ways to configure SNORT, from packet header<br>
inspection, to deep scanning packet payloads, to anything in between.<br>
So, if one configuration does not seem to meet your specs, tune away!<br>
<br>
Mr. M<br>
<div><div></div><div class="h5"><br>
_______________________________________________<br>
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota<br>
<a href="mailto:tclug-list@mn-linux.org">tclug-list@mn-linux.org</a><br>
<a href="http://mailman.mn-linux.org/mailman/listinfo/tclug-list" target="_blank">http://mailman.mn-linux.org/mailman/listinfo/tclug-list</a><br>
</div></div></blockquote></div><br>I'm going to second the SNORT option, I currently use it to monitor very large throughput networks and have used it to monitor gigantic networks. I've also set it up very similar to what I think you are trying to do to capture selected data from the wire. I setup a rules file with rules that match the traffic I'm looking for and it will sit there and log it all. Basically a sniffer or network recording device with a complex rules algorithm that could allow me to capture as simple or as complex as I want. For instance, capture all TCP port 80 or all tcp port 25 with a certain phrase in the packet or a packet with certain flags set but not others. <br>
<br>Its actually pretty powerful and you can setup a logrotate script to clean out old logs and either archive or delete them so you can have a constantly recording system.<br><br>--j<br>