[Snort-users] (no subject)

Martin Roesch roesch at ...1935...
Wed Sep 29 07:46:02 EDT 2004

On Sep 29, 2004, at 7:25 AM, Peter Osterberg wrote:

> Anyway the problem I have is that reporting to the db is missed if 
> some kind of network connection problem occurs between the sensor and 
> the db.

Sounds like they're writing straight to the DB instead of spooling do 
the local disk prior to writing the events to the DB.  The downside to 
doing it this way is that it's 1) slow (slows down Snort) and 2) lossy 
in the event of a network outage.

> Is there some well known and practised way around this problem? I've 
> been thinking of logging traffic to disk using tcpdump and with a 
> decent file split size, say 1 MB. Check if there are finished files 
> every 5 minutes, check if there is a working connection with the db, 
> process dump files, report alerts and exit. Hang around for five more 
> minutes and repeat. I've noticed that the reported time for detected 
> events is the timestamp when the alert is stored in the database and 
> not the timestamp of the tcppacket that triggers the event. I guess 
> that the SQL function "now()" is used in the query!?

The "right way" to solve this problem is to use Barnyard and unified 
output, that's what they were written for.  I don't know if they'll 
work with your "modified" Snort from Demarc, but it sounds like you've 
got a problem that we've already solved here.  I don't know if it'll 
work with your commercial solution, but if you paid money for it you 
should probably be getting support from them.

> Does anyone now if I can specify that "now()" shouldn't be used or 
> some other way the reach my goals?

Digging around a little more, it looks like Barnyard won't work for you 
if you're using the Puresecure backend, they've got their own modified 
ACID-like output plugin and their own schema.  You should contact 
Demarc to see if they can come up with a solution for you.

> It just struck my mind that tcpdump most likely doesn't store 
> timestamps for every packet in raw mode. Can I tell it to do so and 
> will Snort be able to read it in case it is possible?

Tcpdump does store the timestamp with every packet, as does Snort in 
pcap and unified output mode.


Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list