[Snort-users] Queuing MSSQL log data without Barnyard

Burleson, Lee (IA) Lee.Burleson at ...1358...
Mon Sep 24 09:45:08 EDT 2001


Chris -

I didn't realize that a db write would cause Snort to drop packets.  If so,
I will have to keep an eye on it. -see question below-  Currently the
sensors are logging directly to the central MSSQL DB over IPSec - I did not
see any packet loss in my trials.  If processor utilization has anything to
do with it, I have _lots_ of cycles to spare.  Hopefully logging to a local
DB would keep loss to a minimum.

Question: How does one, in Win32, cause Snort to give statistics on demand?
I seem to remember that one can send a signal to the Snort process in *n?x
to achieve this, but I see no Win32 equivalent.

- Lee

> -----Original Message-----
> From: Chris Green [mailto:cmg at ...671...]
> Sent: Monday, September 24, 2001 10:54
> To: Burleson, Lee (IA)
> Cc: Snort-Users (E-mail)
> Subject: Re: [Snort-users] Queuing MSSQL log data without Barnyard
> 
> 
> "Burleson, Lee (IA)" <Lee.Burleson at ...1358...> writes:
> 
> > Just an idea for anyone that is interested; feedback appreciated.
> >
> > In the absence of Barnyard, I am toying with the following scenario:
> >
> > *  Central DB: Win2k, MSSQL Standard, with Replication 
> components installed
> > *  Snort sensor(s): Win2k, MSSQL _Personal_, Snort 
> configured to log to
> > itself
> >
> > *  The sensors would then be set up to replicate their 
> local Snort DB the
> > Central DB, in a push only scenario.
> > *  All traffic between sensors and Central DB would be 
> secured with IPSec.
> > *  MSSQL Replication would be handled in a queuing fashion.
> > *  No more problems with downtime of Central DB, as Sensors 
> are logging to
> > themselves.
> 
> SQL insertion is a slow operation compared to network wirespeed.   One
> thing that you may consider doing is binary logging and then use
> another instance of snort to do the logging to the local database.
> 
> When DB support is available for barnyard, you  may also just consider
> doing that exact same scenario with barnyard pushing to local db.
> -- 
> Chris Green <cmg at ...671...>
> A watched process never cores.
> 




More information about the Snort-users mailing list