[Snort-users] Sanity check for high volume logging

Martin Roesch roesch at ...1935...
Tue Jan 8 20:12:04 EST 2002


Zarathustra Ubermensch wrote:
> 
> Hello,
> Config: snort 1.8.1 running under Solaris 8 (netra t1) with mysql 3.23
> 
> I'm currently monitoring some pretty high traffic levels and am logging them
> to mysql with the following command lines in my snort.conf
> 
> output database: log, mysql, user=mysql sensor_name=sensor.company.com
> dbname=snort host=localhost
> 
> output database: alert, mysql, user=mysql sensor_name=sensor.company.com
> dbname=snort host=localhost
> 
> Performance is lacking, so I'd like to switch to binary logging by using
> something like "output log_tcpdump: sensor.company.com-tcpdump.log"
> 
> My questions:
> 1. Will this capture both "log" and "alert" information similar to the way
> in which my current mysql config works? ie Will I get the same data
> regardless of the logging mechanism (tcpdump or mysql)?

The tcpdump logging mechanism logs the binary packets straight from the
wire, that's all you get.  You have to match the packets back up with
the alerts later.  Please note, logs != alerts in Snort, alerts tell you
something interesting has happened, logs let you see what it was.

> 2. I'd still like to aggregate this data to a much beefier database server
> for long term trend analysis. Can I use a different snort.conf file that
> uses "output database" configs and simply replay the tcpdump logs against
> that snort.conf to populate the database?

Yes.

You might also want to check out the new unified logging format and
barnyard, they're The Future when it comes to Snort logging and high
performance.

     -Marty


--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list