[Snort-users] (no subject)

Peter Osterberg Peter at ...12495...
Wed Sep 29 08:47:02 EDT 2004

Hi again,

thanks a lot for clarifying a lot to me. I have of course already contacted 
Demarc about this, they won't help me since PureSecure will be a legacy 
product some time soon. The software version of their product Sentaurus is 
their answer. So I decided to try to solve the problem my self. That is why 
I turned to you guys.

So now it looks like I have to chose from either bad timestamps in my 
database or the risk of loosing alerts.

Thanks for your help!


At 16:45 2004-09-29, Martin Roesch wrote:

>On Sep 29, 2004, at 7:25 AM, Peter Osterberg wrote:
>>Anyway the problem I have is that reporting to the db is missed if some 
>>kind of network connection problem occurs between the sensor and the db.
>Sounds like they're writing straight to the DB instead of spooling do the 
>local disk prior to writing the events to the DB.  The downside to doing 
>it this way is that it's 1) slow (slows down Snort) and 2) lossy in the 
>event of a network outage.
>>Is there some well known and practised way around this problem? I've been 
>>thinking of logging traffic to disk using tcpdump and with a decent file 
>>split size, say 1 MB. Check if there are finished files every 5 minutes, 
>>check if there is a working connection with the db, process dump files, 
>>report alerts and exit. Hang around for five more minutes and repeat. 
>>I've noticed that the reported time for detected events is the timestamp 
>>when the alert is stored in the database and not the timestamp of the 
>>tcppacket that triggers the event. I guess that the SQL function "now()" 
>>is used in the query!?
>The "right way" to solve this problem is to use Barnyard and unified 
>output, that's what they were written for.  I don't know if they'll work 
>with your "modified" Snort from Demarc, but it sounds like you've got a 
>problem that we've already solved here.  I don't know if it'll work with 
>your commercial solution, but if you paid money for it you should probably 
>be getting support from them.
>>Does anyone now if I can specify that "now()" shouldn't be used or some 
>>other way the reach my goals?
>Digging around a little more, it looks like Barnyard won't work for you if 
>you're using the Puresecure backend, they've got their own modified 
>ACID-like output plugin and their own schema.  You should contact Demarc 
>to see if they can come up with a solution for you.
>>It just struck my mind that tcpdump most likely doesn't store timestamps 
>>for every packet in raw mode. Can I tell it to do so and will Snort be 
>>able to read it in case it is possible?
>Tcpdump does store the timestamp with every packet, as does Snort in pcap 
>and unified output mode.
>      -Marty
>Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
>Sourcefire - Discover.  Determine.  Defend.
>roesch at ...1935... - http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list