[Snort-devel] [Snort-sigs] Snort.org Blog: Snort's output methods

Steven Sturges ssturges at ...402...
Mon Jun 27 16:41:20 EDT 2011

Syslog is one of those that is pretty important for a lot of folks.

Though, I wouldn't recommend using a remote syslog for the same
reasons as using a remote DB....


On 7/22/64 2:59 PM, L0rd Ch0de1m0rt wrote:
> I use syslog output exclusively and if it went away I would have to
> immediately transfer my large infrastructure to Suricata and take my
> dozen of Soucefire appliances and use half of them for target practice
> with my AR-15 and Glock .40 and the other half I would build a Beowulf
> cluster for OISF/EmergingThreats Pro to utilize.  Since Suricata is Open
> Source, I would take my Sourcefire appliance budget and buy huge solar
> panels to power the cluster.  Sounds like fun.
> -L0rd C.
> On Mon, Jun 27, 2011 at 10:16 AM, Joel Esler <jesler at ...402...
> <mailto:jesler at ...402...>> wrote:
>     http://blog.snort.org/2011/06/snorts-output-methods.html
>     Snort's output methods
>     Ever since the beginning of Snort, one of the main concerns was "how
>     do I get data out of Snort".  Some of the options available have
>     their advantages and disadvantages.
>     There's some that aren't used.
>     There's some that cause Snort to be slow.
>     There's some that we don't maintain and don't frequently test.
>     and
>     There's some that we want to get rid of.
>     One of those output methods is the "spo_database" module.  Or the
>     module in Snort that directly inputs data from Snort into a mysql,
>     postgres, or an Oracle database.  This logging method was written
>     back in the late 90's by a college student (along with the db schema
>     and the interface ACID) as a project for his thesis.
>     It hasn't been very well maintained since then.  In fact, we don't
>     test against it, and we don't recommend it for use.  It makes Snort,
>     which is a high-speed data processor, have to stop doing what it's
>     doing (being an IPS), and insert data into the database.  While
>     Snort is inserting into the database, this stops inspection waiting
>     for the database connection.
>     So we are going to remove it.
>     In order to provide the type of functionality we'd like to provide
>     with Snort in the next few releases (more data for you!), we needed
>     someone to take over the maintenance of the db schema that is
>     shipped with Snort as well.   As a result of the discussion on the
>     Snort-devel list, the team members over at the barnyard2 project
>     have agreed to take over the maintenance of these schemas.
>     At this point I'd like to hear from the community as well.  So
>     please leave comments.
>     What output plugins do you use?
>     Will you be affected by this change (we hope a lot of you aren't
>     using the spo_database method)?
>     What other output plugins do you think we can "show the door"?
>     Please leave comments at the above link.
>     Thanks.
>     Joel Esler
>     OpenSource Community Manager
>     ------------------------------------------------------------------------------
>     All of the data generated in your IT infrastructure is seriously
>     valuable.
>     Why? It contains a definitive record of application performance,
>     security
>     threats, fraudulent activity, and more. Splunk takes this data and makes
>     sense of it. IT sense. And common sense.
>     http://p.sf.net/sfu/splunk-d2d-c2
>     _______________________________________________
>     Snort-devel mailing list
>     Snort-devel at lists.sourceforge.net
>     <mailto:Snort-devel at lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list