[Snort-users] Queuing MSSQL log data without Barnyard
Burleson, Lee (IA)
Lee.Burleson at ...1358...
Mon Sep 24 09:45:08 EDT 2001
I didn't realize that a db write would cause Snort to drop packets. If so,
I will have to keep an eye on it. -see question below- Currently the
sensors are logging directly to the central MSSQL DB over IPSec - I did not
see any packet loss in my trials. If processor utilization has anything to
do with it, I have _lots_ of cycles to spare. Hopefully logging to a local
DB would keep loss to a minimum.
Question: How does one, in Win32, cause Snort to give statistics on demand?
I seem to remember that one can send a signal to the Snort process in *n?x
to achieve this, but I see no Win32 equivalent.
> -----Original Message-----
> From: Chris Green [mailto:cmg at ...671...]
> Sent: Monday, September 24, 2001 10:54
> To: Burleson, Lee (IA)
> Cc: Snort-Users (E-mail)
> Subject: Re: [Snort-users] Queuing MSSQL log data without Barnyard
> "Burleson, Lee (IA)" <Lee.Burleson at ...1358...> writes:
> > Just an idea for anyone that is interested; feedback appreciated.
> > In the absence of Barnyard, I am toying with the following scenario:
> > * Central DB: Win2k, MSSQL Standard, with Replication
> components installed
> > * Snort sensor(s): Win2k, MSSQL _Personal_, Snort
> configured to log to
> > itself
> > * The sensors would then be set up to replicate their
> local Snort DB the
> > Central DB, in a push only scenario.
> > * All traffic between sensors and Central DB would be
> secured with IPSec.
> > * MSSQL Replication would be handled in a queuing fashion.
> > * No more problems with downtime of Central DB, as Sensors
> are logging to
> > themselves.
> SQL insertion is a slow operation compared to network wirespeed. One
> thing that you may consider doing is binary logging and then use
> another instance of snort to do the logging to the local database.
> When DB support is available for barnyard, you may also just consider
> doing that exact same scenario with barnyard pushing to local db.
> Chris Green <cmg at ...671...>
> A watched process never cores.
More information about the Snort-users