[Snort-users] Sanity check for high volume logging

Zarathustra Ubermensch zubermensch at ...125...
Mon Jan 7 13:35:03 EST 2002

Config: snort 1.8.1 running under Solaris 8 (netra t1) with mysql 3.23

I'm currently monitoring some pretty high traffic levels and am logging them 
to mysql with the following command lines in my snort.conf

output database: log, mysql, user=mysql sensor_name=sensor.company.com 
dbname=snort host=localhost

output database: alert, mysql, user=mysql sensor_name=sensor.company.com 
dbname=snort host=localhost

Performance is lacking, so I'd like to switch to binary logging by using 
something like "output log_tcpdump: sensor.company.com-tcpdump.log"

My questions:
1. Will this capture both "log" and "alert" information similar to the way 
in which my current mysql config works? ie Will I get the same data 
regardless of the logging mechanism (tcpdump or mysql)?

2. I'd still like to aggregate this data to a much beefier database server 
for long term trend analysis. Can I use a different snort.conf file that 
uses "output database" configs and simply replay the tcpdump logs against 
that snort.conf to populate the database?

I'm pretty sure I already know the answers, but I thought I'd ask JIC 
there's a better way to do this. Thanks for any help that you can give.

Send and receive Hotmail on your mobile device: http://mobile.msn.com

More information about the Snort-users mailing list