On Wed, Mar 3, 2010 at 10:09 AM, Mr. MailingLists <mailinglists at soul-dev.com > wrote: > On 03/03/10 09:41, Raymond Norton wrote: > > > > Mr. MailingLists wrote: > > > >> On 03/03/10 08:10, Raymond Norton wrote: > >> > >>> I need to set up a box at our pop to sniff inbound and outbound > traffic. > >>> I want to set it up as a passive device, or connect to a monitoring > port > >>> on our switch, so if the box fails it does not kill our traffic. The > >>> device will need to be able to monitor thousands of connections without > >>> choking. I am pretty sure I would only turn it on when it seemed there > >>> was suspicious traffic at one of our member schools. Any > recommendations > >>> of a stable solution with a nice interface?? > >>> > >>> Raymond > >>> > >>> > >> YAY a fun question!!! > >> > > > > > > > > I used to keep a snort box around for sniffing, but not at this scale. > > Do you think it would be a good solution for my setup, as long as it > > meets the hardware specs? > > > > > > > I absolutely believe so. It was designed to be a IDS for large > infrastructures and as long as you match the specs, plus maybe 20% > better in case of bursts (and have scalability options), I know this > would be a great solution. I wish I was only so lucky to go to a school > where they actively monitored intrusions, as well as possible botnet, > malware, p2p activity. Well, maybe not p2p ;-), too many valid reasons > not to. > > There are so many ways to configure SNORT, from packet header > inspection, to deep scanning packet payloads, to anything in between. > So, if one configuration does not seem to meet your specs, tune away! > > Mr. M > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list > I'm going to second the SNORT option, I currently use it to monitor very large throughput networks and have used it to monitor gigantic networks. I've also set it up very similar to what I think you are trying to do to capture selected data from the wire. I setup a rules file with rules that match the traffic I'm looking for and it will sit there and log it all. Basically a sniffer or network recording device with a complex rules algorithm that could allow me to capture as simple or as complex as I want. For instance, capture all TCP port 80 or all tcp port 25 with a certain phrase in the packet or a packet with certain flags set but not others. Its actually pretty powerful and you can setup a logrotate script to clean out old logs and either archive or delete them so you can have a constantly recording system. --j -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20100303/ba665c43/attachment-0001.htm