[Snort-devel] Snort.org Blog: Snort's output methods

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2499...
Mon Jun 27 16:32:23 EDT 2011


I use syslog output exclusively and if it went away I would have to
immediately transfer my large infrastructure to Suricata and take my dozen
of Soucefire appliances and use half of them for target practice with my
AR-15 and Glock .40 and the other half I would build a Beowulf cluster for
OISF/EmergingThreats Pro to utilize.  Since Suricata is Open Source, I would
take my Sourcefire appliance budget and buy huge solar panels to power the
cluster.  Sounds like fun.


-L0rd C.

On Mon, Jun 27, 2011 at 10:16 AM, Joel Esler <jesler at ...402...> wrote:

>
> http://blog.snort.org/2011/06/snorts-output-methods.html
>
> Snort's output methods
>
> Ever since the beginning of Snort, one of the main concerns was "how do I
> get data out of Snort".  Some of the options available have their advantages
> and disadvantages.
>
> There's some that aren't used.
> There's some that cause Snort to be slow.
> There's some that we don't maintain and don't frequently test.
> and
> There's some that we want to get rid of.
>
> One of those output methods is the "spo_database" module.  Or the module in
> Snort that directly inputs data from Snort into a mysql, postgres, or an
> Oracle database.  This logging method was written back in the late 90's by a
> college student (along with the db schema and the interface ACID) as a
> project for his thesis.
>
> It hasn't been very well maintained since then.  In fact, we don't test
> against it, and we don't recommend it for use.  It makes Snort, which is a
> high-speed data processor, have to stop doing what it's doing (being an
> IPS), and insert data into the database.  While Snort is inserting into the
> database, this stops inspection waiting for the database connection.
>
> So we are going to remove it.
>
> In order to provide the type of functionality we'd like to provide with
> Snort in the next few releases (more data for you!), we needed someone to
> take over the maintenance of the db schema that is shipped with Snort as
> well.   As a result of the discussion on the Snort-devel list, the team
> members over at the barnyard2 project have agreed to take over the
> maintenance of these schemas.
>
> At this point I'd like to hear from the community as well.  So please leave
> comments.
>
> What output plugins do you use?
> Will you be affected by this change (we hope a lot of you aren't using the
> spo_database method)?
> What other output plugins do you think we can "show the door"?
>
> Please leave comments at the above link.
>
> Thanks.
>
> Joel Esler
> OpenSource Community Manager
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110627/3f24a596/attachment.html>


More information about the Snort-devel mailing list