[Snort-users] Re: ACID Configuration

Roman Danyliw roman at ...438...
Mon Nov 13 10:16:43 EST 2000


Frank,

Karl is absolutely right. Should the mysql daemon die or connectivity to
it be impaired (be it extremely high network latency or actual
disconnect), Snort will drop the alert after only a single attempt.  When
this occurs, an error message like the following will probably appear:

"database: mysql_error: MySQL server has gone away"

cheers,
Roman

On Sun, 12 Nov 2000, Karl Lovink wrote:

>
> I think the data will be lost. What should be implemented to get this
fixed
> is some kind of backlog. Snort should keep the data in a backlog and try
to
> resend the data t othe database server. When the database server is
> available again it should empty his backlog.
>
>
> Kind regards,
> Karl
>
>
> -----Oorspronkelijk bericht-----
> Van: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]Namens Frank Reid
> Verzonden: zaterdag 11 november 2000 21:33
> Aan: snort-users at lists.sourceforge.net
> Onderwerp: RE: [Snort-users] Re: ACID Configuration
>
>
> Thanks, Roman.  ACID is a very impressive project in its own right, and
it
> provides a great deal of functionality even now.  Thanks for supporting
and
> developing it.
>
> Question on Snort... is behavior defined when logging to database and
the
> database becomes unavailable?  My specific concern is sensor behavior
when
> network anomalies prevent it from locating the database server,
e.g. upon
> loss of network connectivity for upstream reporting.  I could pull plugs
and
> guess at the results, but I figured someone would know based on the code
> itself.  Thanks.
>
> Frank
> 
> 




More information about the Snort-users mailing list