[Snort-devel] [Snort-sigs] Snort.org Blog: Snort's output methods
jesler at ...402...
Mon Jun 27 16:43:25 EDT 2011
Syslog isn't going away. Too many people and correlation tools use it. Thanks though.
On Jun 27, 2011, at 4:41 PM, Steven Sturges wrote:
> Syslog is one of those that is pretty important for a lot of folks.
> Though, I wouldn't recommend using a remote syslog for the same
> reasons as using a remote DB....
> On 7/22/64 2:59 PM, L0rd Ch0de1m0rt wrote:
>> I use syslog output exclusively and if it went away I would have to
>> immediately transfer my large infrastructure to Suricata and take my
>> dozen of Soucefire appliances and use half of them for target practice
>> with my AR-15 and Glock .40 and the other half I would build a Beowulf
>> cluster for OISF/EmergingThreats Pro to utilize. Since Suricata is Open
>> Source, I would take my Sourcefire appliance budget and buy huge solar
>> panels to power the cluster. Sounds like fun.
>> -L0rd C.
>> On Mon, Jun 27, 2011 at 10:16 AM, Joel Esler <jesler at ...402...
>> <mailto:jesler at ...402...>> wrote:
>> Snort's output methods
>> Ever since the beginning of Snort, one of the main concerns was "how
>> do I get data out of Snort". Some of the options available have
>> their advantages and disadvantages.
>> There's some that aren't used.
>> There's some that cause Snort to be slow.
>> There's some that we don't maintain and don't frequently test.
>> There's some that we want to get rid of.
>> One of those output methods is the "spo_database" module. Or the
>> module in Snort that directly inputs data from Snort into a mysql,
>> postgres, or an Oracle database. This logging method was written
>> back in the late 90's by a college student (along with the db schema
>> and the interface ACID) as a project for his thesis.
>> It hasn't been very well maintained since then. In fact, we don't
>> test against it, and we don't recommend it for use. It makes Snort,
>> which is a high-speed data processor, have to stop doing what it's
>> doing (being an IPS), and insert data into the database. While
>> Snort is inserting into the database, this stops inspection waiting
>> for the database connection.
>> So we are going to remove it.
>> In order to provide the type of functionality we'd like to provide
>> with Snort in the next few releases (more data for you!), we needed
>> someone to take over the maintenance of the db schema that is
>> shipped with Snort as well. As a result of the discussion on the
>> Snort-devel list, the team members over at the barnyard2 project
>> have agreed to take over the maintenance of these schemas.
>> At this point I'd like to hear from the community as well. So
>> please leave comments.
>> What output plugins do you use?
>> Will you be affected by this change (we hope a lot of you aren't
>> using the spo_database method)?
>> What other output plugins do you think we can "show the door"?
>> Please leave comments at the above link.
>> Joel Esler
>> OpenSource Community Manager
>> All of the data generated in your IT infrastructure is seriously
>> Why? It contains a definitive record of application performance,
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> <mailto:Snort-devel at lists.sourceforge.net>
More information about the Snort-devel