[Snort-users] Queuing MSSQL log data without Barnyard

Chris Green cmg at ...671...
Mon Sep 24 08:58:11 EDT 2001

"Burleson, Lee (IA)" <Lee.Burleson at ...1358...> writes:

> Just an idea for anyone that is interested; feedback appreciated.
> In the absence of Barnyard, I am toying with the following scenario:
> *  Central DB: Win2k, MSSQL Standard, with Replication components installed
> *  Snort sensor(s): Win2k, MSSQL _Personal_, Snort configured to log to
> itself
> *  The sensors would then be set up to replicate their local Snort DB the
> Central DB, in a push only scenario.
> *  All traffic between sensors and Central DB would be secured with IPSec.
> *  MSSQL Replication would be handled in a queuing fashion.
> *  No more problems with downtime of Central DB, as Sensors are logging to
> themselves.

SQL insertion is a slow operation compared to network wirespeed.   One
thing that you may consider doing is binary logging and then use
another instance of snort to do the logging to the local database.

When DB support is available for barnyard, you  may also just consider
doing that exact same scenario with barnyard pushing to local db.
Chris Green <cmg at ...671...>
A watched process never cores.

