[Snort-devel] Snort.org Blog: Snort's output methods
l0rdch0de1m0rt at ...2499...
Mon Jun 27 16:32:23 EDT 2011
I use syslog output exclusively and if it went away I would have to
immediately transfer my large infrastructure to Suricata and take my dozen
of Soucefire appliances and use half of them for target practice with my
AR-15 and Glock .40 and the other half I would build a Beowulf cluster for
OISF/EmergingThreats Pro to utilize. Since Suricata is Open Source, I would
take my Sourcefire appliance budget and buy huge solar panels to power the
cluster. Sounds like fun.
On Mon, Jun 27, 2011 at 10:16 AM, Joel Esler <jesler at ...402...> wrote:
> Snort's output methods
> Ever since the beginning of Snort, one of the main concerns was "how do I
> get data out of Snort". Some of the options available have their advantages
> and disadvantages.
> There's some that aren't used.
> There's some that cause Snort to be slow.
> There's some that we don't maintain and don't frequently test.
> There's some that we want to get rid of.
> One of those output methods is the "spo_database" module. Or the module in
> Snort that directly inputs data from Snort into a mysql, postgres, or an
> Oracle database. This logging method was written back in the late 90's by a
> college student (along with the db schema and the interface ACID) as a
> project for his thesis.
> It hasn't been very well maintained since then. In fact, we don't test
> against it, and we don't recommend it for use. It makes Snort, which is a
> high-speed data processor, have to stop doing what it's doing (being an
> IPS), and insert data into the database. While Snort is inserting into the
> database, this stops inspection waiting for the database connection.
> So we are going to remove it.
> In order to provide the type of functionality we'd like to provide with
> Snort in the next few releases (more data for you!), we needed someone to
> take over the maintenance of the db schema that is shipped with Snort as
> well. As a result of the discussion on the Snort-devel list, the team
> members over at the barnyard2 project have agreed to take over the
> maintenance of these schemas.
> At this point I'd like to hear from the community as well. So please leave
> What output plugins do you use?
> Will you be affected by this change (we hope a lot of you aren't using the
> spo_database method)?
> What other output plugins do you think we can "show the door"?
> Please leave comments at the above link.
> Joel Esler
> OpenSource Community Manager
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel