On Wed, Mar 3, 2010 at 10:09 AM, Mr. MailingLists <mailinglists at soul-dev.com
> wrote:

> On 03/03/10 09:41, Raymond Norton wrote:
> >
> > Mr. MailingLists wrote:
> >
> >> On 03/03/10 08:10, Raymond Norton wrote:
> >>
> >>> I need to set up a box at our pop to sniff inbound and outbound
> traffic.
> >>> I want to set it up as a passive device, or connect to a monitoring
> port
> >>> on our switch, so if the box fails it does not kill our traffic. The
> >>> device will need to be able to monitor thousands of connections without
> >>> choking. I am pretty sure I would only turn it on when it seemed there
> >>> was suspicious traffic at one of our member schools. Any
> recommendations
> >>> of a stable solution with a nice interface??
> >>>
> >>> Raymond
> >>>
> >>>
> >> YAY a fun question!!!
> >>
> >
> >
> >
> > I used to keep a snort box around for sniffing, but not at this scale.
> > Do you think it would be a good solution for my setup, as long as it
> > meets the hardware specs?
> >
> >
> >
> I absolutely believe so. It was designed to be a IDS for large
> infrastructures and as long as you match the specs, plus maybe 20%
> better in case of bursts (and have scalability options), I know this
> would be a great solution. I wish I was only so lucky to go to a school
> where they actively monitored intrusions, as well as possible botnet,
> malware, p2p activity. Well, maybe not p2p ;-), too many valid reasons
> not to.
>
> There are so many ways to configure SNORT, from packet header
> inspection, to deep scanning packet payloads, to anything in between.
> So, if one configuration does not seem to meet your specs, tune away!
>
> Mr. M
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>

I'm going to second the SNORT option, I currently use it to monitor very
large throughput networks and have used it to monitor gigantic networks.
I've also set it up very similar to what I think you are trying to do to
capture selected data from the wire.  I setup a rules file with rules that
match the traffic I'm looking for and it will sit there and log it all.
Basically a sniffer or network recording device with a complex rules
algorithm that could allow me to capture as simple or as complex as I want.
For instance, capture all TCP port 80 or all tcp port 25 with a certain
phrase in the packet or a packet with certain flags set but not others.

Its actually pretty powerful and you can setup a logrotate script to clean
out old logs and either archive or delete them so you can have a constantly
recording system.

--j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20100303/ba665c43/attachment-0001.htm