[Snort-users] (no subject)
Peter at ...12495...
Wed Sep 29 08:47:02 EDT 2004
thanks a lot for clarifying a lot to me. I have of course already contacted
Demarc about this, they won't help me since PureSecure will be a legacy
product some time soon. The software version of their product Sentaurus is
their answer. So I decided to try to solve the problem my self. That is why
I turned to you guys.
So now it looks like I have to chose from either bad timestamps in my
database or the risk of loosing alerts.
Thanks for your help!
At 16:45 2004-09-29, Martin Roesch wrote:
>On Sep 29, 2004, at 7:25 AM, Peter Osterberg wrote:
>>Anyway the problem I have is that reporting to the db is missed if some
>>kind of network connection problem occurs between the sensor and the db.
>Sounds like they're writing straight to the DB instead of spooling do the
>local disk prior to writing the events to the DB. The downside to doing
>it this way is that it's 1) slow (slows down Snort) and 2) lossy in the
>event of a network outage.
>>Is there some well known and practised way around this problem? I've been
>>thinking of logging traffic to disk using tcpdump and with a decent file
>>split size, say 1 MB. Check if there are finished files every 5 minutes,
>>check if there is a working connection with the db, process dump files,
>>report alerts and exit. Hang around for five more minutes and repeat.
>>I've noticed that the reported time for detected events is the timestamp
>>when the alert is stored in the database and not the timestamp of the
>>tcppacket that triggers the event. I guess that the SQL function "now()"
>>is used in the query!?
>The "right way" to solve this problem is to use Barnyard and unified
>output, that's what they were written for. I don't know if they'll work
>with your "modified" Snort from Demarc, but it sounds like you've got a
>problem that we've already solved here. I don't know if it'll work with
>your commercial solution, but if you paid money for it you should probably
>be getting support from them.
>>Does anyone now if I can specify that "now()" shouldn't be used or some
>>other way the reach my goals?
>Digging around a little more, it looks like Barnyard won't work for you if
>you're using the Puresecure backend, they've got their own modified
>ACID-like output plugin and their own schema. You should contact Demarc
>to see if they can come up with a solution for you.
>>It just struck my mind that tcpdump most likely doesn't store timestamps
>>for every packet in raw mode. Can I tell it to do so and will Snort be
>>able to read it in case it is possible?
>Tcpdump does store the timestamp with every packet, as does Snort in pcap
>and unified output mode.
>Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
>Sourcefire - Discover. Determine. Defend.
>roesch at ...1935... - http://www.sourcefire.com
>Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users