[Snort-users] Queuing MSSQL log data without Barnyard

Chris Green cmg at ...671...
Mon Sep 24 12:31:04 EDT 2001


"Burleson, Lee (IA)" <Lee.Burleson at ...1358...> writes:

> Chris -
>
> I didn't realize that a db write would cause Snort to drop packets.
> If so,

It's not guaranteed to cause packet loss but it can depending on
traffic/alert rate/insert speed.

> I will have to keep an eye on it. -see question below-  Currently the
> sensors are logging directly to the central MSSQL DB over IPSec - I did not
> see any packet loss in my trials.  If processor utilization has anything to
> do with it, I have _lots_ of cycles to spare.  Hopefully logging to a local
> DB would keep loss to a minimum.

I'd try an expirment where you have a alert rule that goes off on
echo requests and then send 1000 while other traffic is on the wire.
Silly but would let you see how setup handles peaks in traffic/alerts.

> Question: How does one, in Win32, cause Snort to give statistics on
> demand?

Not sure as I'm not a windows snort user.

> I seem to remember that one can send a signal to the Snort process in *n?x
> to achieve this, but I see no Win32 equivalent.
>
> - Lee

-- 
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list