[Snort-users] (no subject)
roesch at ...1935...
Wed Sep 29 07:46:02 EDT 2004
On Sep 29, 2004, at 7:25 AM, Peter Osterberg wrote:
> Anyway the problem I have is that reporting to the db is missed if
> some kind of network connection problem occurs between the sensor and
> the db.
Sounds like they're writing straight to the DB instead of spooling do
the local disk prior to writing the events to the DB. The downside to
doing it this way is that it's 1) slow (slows down Snort) and 2) lossy
in the event of a network outage.
> Is there some well known and practised way around this problem? I've
> been thinking of logging traffic to disk using tcpdump and with a
> decent file split size, say 1 MB. Check if there are finished files
> every 5 minutes, check if there is a working connection with the db,
> process dump files, report alerts and exit. Hang around for five more
> minutes and repeat. I've noticed that the reported time for detected
> events is the timestamp when the alert is stored in the database and
> not the timestamp of the tcppacket that triggers the event. I guess
> that the SQL function "now()" is used in the query!?
The "right way" to solve this problem is to use Barnyard and unified
output, that's what they were written for. I don't know if they'll
work with your "modified" Snort from Demarc, but it sounds like you've
got a problem that we've already solved here. I don't know if it'll
work with your commercial solution, but if you paid money for it you
should probably be getting support from them.
> Does anyone now if I can specify that "now()" shouldn't be used or
> some other way the reach my goals?
Digging around a little more, it looks like Barnyard won't work for you
if you're using the Puresecure backend, they've got their own modified
ACID-like output plugin and their own schema. You should contact
Demarc to see if they can come up with a solution for you.
> It just struck my mind that tcpdump most likely doesn't store
> timestamps for every packet in raw mode. Can I tell it to do so and
> will Snort be able to read it in case it is possible?
Tcpdump does store the timestamp with every packet, as does Snort in
pcap and unified output mode.
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users