[Snort-users] Alerts not Detected during Import?

Erek Adams erek at ...950...
Thu Jun 26 10:15:12 EDT 2003


On Thu, 26 Jun 2003, Dusty Hall wrote:

>   Thanks for the Enlightening Answer, it all makes sense now.  I guess
> the only way to fix this is to change the output on Snort1 to point
> directly to the DB server?

You actually have a couple of options:

*  DB Output directly to the DB server
*  Use Barnyard and unified logging
*  Log all traffic to disk and have snort2 parse that data.

Option 3 isn't realistic unless you've got just a little traffic or a
whole lot of disk space.

I'm guessing that you might want to use Barnyard.  It has the handy
feature of being able to handle network failures to the DB server.  If you
do that, you could still log to pcap and save the pcap files to CD/DVD for
archival purposes.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list