[Snort-devel] Snort.org Blog: Snort's output methods

Martin Roesch roesch at ...402...
Tue Jun 28 13:41:29 EDT 2011


Yeah, I think I can safely assure you that syslog is never going away.
 Where never = for as long as people use syslog.



On Mon, Jun 27, 2011 at 4:32 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...2499...>wrote:

> I use syslog output exclusively and if it went away I would have to
> immediately transfer my large infrastructure to Suricata and take my dozen
> of Soucefire appliances and use half of them for target practice with my
> AR-15 and Glock .40 and the other half I would build a Beowulf cluster for
> OISF/EmergingThreats Pro to utilize.  Since Suricata is Open Source, I would
> take my Sourcefire appliance budget and buy huge solar panels to power the
> cluster.  Sounds like fun.
>
>
> -L0rd C.
>
> On Mon, Jun 27, 2011 at 10:16 AM, Joel Esler <jesler at ...402...>wrote:
>
>>
>> http://blog.snort.org/2011/06/snorts-output-methods.html
>>
>> Snort's output methods
>>
>> Ever since the beginning of Snort, one of the main concerns was "how do I
>> get data out of Snort".  Some of the options available have their advantages
>> and disadvantages.
>>
>> There's some that aren't used.
>> There's some that cause Snort to be slow.
>> There's some that we don't maintain and don't frequently test.
>> and
>> There's some that we want to get rid of.
>>
>> One of those output methods is the "spo_database" module.  Or the module
>> in Snort that directly inputs data from Snort into a mysql, postgres, or an
>> Oracle database.  This logging method was written back in the late 90's by a
>> college student (along with the db schema and the interface ACID) as a
>> project for his thesis.
>>
>> It hasn't been very well maintained since then.  In fact, we don't test
>> against it, and we don't recommend it for use.  It makes Snort, which is a
>> high-speed data processor, have to stop doing what it's doing (being an
>> IPS), and insert data into the database.  While Snort is inserting into the
>> database, this stops inspection waiting for the database connection.
>>
>> So we are going to remove it.
>>
>>
>> In order to provide the type of functionality we'd like to provide with
>> Snort in the next few releases (more data for you!), we needed someone to
>> take over the maintenance of the db schema that is shipped with Snort as
>> well.   As a result of the discussion on the Snort-devel list, the team
>> members over at the barnyard2 project have agreed to take over the
>> maintenance of these schemas.
>>
>> At this point I'd like to hear from the community as well.  So please
>> leave comments.
>>
>> What output plugins do you use?
>> Will you be affected by this change (we hope a lot of you aren't using the
>> spo_database method)?
>> What other output plugins do you think we can "show the door"?
>>
>> Please leave comments at the above link.
>>
>> Thanks.
>>
>> Joel Esler
>> OpenSource Community Manager
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>


-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110628/580d25ab/attachment.html>


More information about the Snort-devel mailing list