[Snort-devel] [Snort-sigs] Snort.org Blog: Snort's output methods

Joel Esler jesler at ...402...
Mon Jun 27 16:43:25 EDT 2011


Syslog isn't going away.  Too many people and correlation tools use it.    Thanks though.

Joel

On Jun 27, 2011, at 4:41 PM, Steven Sturges wrote:

> Syslog is one of those that is pretty important for a lot of folks.
> 
> Though, I wouldn't recommend using a remote syslog for the same
> reasons as using a remote DB....
> 
> Cheers.
> -s
> 
> On 7/22/64 2:59 PM, L0rd Ch0de1m0rt wrote:
>> I use syslog output exclusively and if it went away I would have to
>> immediately transfer my large infrastructure to Suricata and take my
>> dozen of Soucefire appliances and use half of them for target practice
>> with my AR-15 and Glock .40 and the other half I would build a Beowulf
>> cluster for OISF/EmergingThreats Pro to utilize.  Since Suricata is Open
>> Source, I would take my Sourcefire appliance budget and buy huge solar
>> panels to power the cluster.  Sounds like fun.
>> 
>> 
>> -L0rd C.
>> 
>> On Mon, Jun 27, 2011 at 10:16 AM, Joel Esler <jesler at ...402...
>> <mailto:jesler at ...402...>> wrote:
>> 
>> 
>>    http://blog.snort.org/2011/06/snorts-output-methods.html
>> 
>>    Snort's output methods
>> 
>>    Ever since the beginning of Snort, one of the main concerns was "how
>>    do I get data out of Snort".  Some of the options available have
>>    their advantages and disadvantages.
>> 
>>    There's some that aren't used.
>>    There's some that cause Snort to be slow.
>>    There's some that we don't maintain and don't frequently test.
>>    and
>>    There's some that we want to get rid of.
>> 
>>    One of those output methods is the "spo_database" module.  Or the
>>    module in Snort that directly inputs data from Snort into a mysql,
>>    postgres, or an Oracle database.  This logging method was written
>>    back in the late 90's by a college student (along with the db schema
>>    and the interface ACID) as a project for his thesis.
>> 
>>    It hasn't been very well maintained since then.  In fact, we don't
>>    test against it, and we don't recommend it for use.  It makes Snort,
>>    which is a high-speed data processor, have to stop doing what it's
>>    doing (being an IPS), and insert data into the database.  While
>>    Snort is inserting into the database, this stops inspection waiting
>>    for the database connection.
>> 
>>    So we are going to remove it.
>> 
>>    In order to provide the type of functionality we'd like to provide
>>    with Snort in the next few releases (more data for you!), we needed
>>    someone to take over the maintenance of the db schema that is
>>    shipped with Snort as well.   As a result of the discussion on the
>>    Snort-devel list, the team members over at the barnyard2 project
>>    have agreed to take over the maintenance of these schemas.
>> 
>>    At this point I'd like to hear from the community as well.  So
>>    please leave comments.
>> 
>>    What output plugins do you use?
>>    Will you be affected by this change (we hope a lot of you aren't
>>    using the spo_database method)?
>>    What other output plugins do you think we can "show the door"?
>> 
>>    Please leave comments at the above link.
>> 
>>    Thanks.
>> 
>>    Joel Esler
>>    OpenSource Community Manager
>>    ------------------------------------------------------------------------------
>>    All of the data generated in your IT infrastructure is seriously
>>    valuable.
>>    Why? It contains a definitive record of application performance,
>>    security
>>    threats, fraudulent activity, and more. Splunk takes this data and makes
>>    sense of it. IT sense. And common sense.
>>    http://p.sf.net/sfu/splunk-d2d-c2
>>    _______________________________________________
>>    Snort-devel mailing list
>>    Snort-devel at lists.sourceforge.net
>>    <mailto:Snort-devel at lists.sourceforge.net>
>>    https://lists.sourceforge.net/lists/listinfo/snort-devel
>> 
>> 





More information about the Snort-devel mailing list