[Snort-users] Snort, Barnyard, Mysql

Jason Brvenik jasonb at ...1935...
Sat Oct 15 19:22:25 EDT 2005


Raymond Owens wrote:
> I have several questions relating to the use of Snort, Barnyard and
> Mysql that hopefully someone can shed some light on.
>  
> First , I have heard that if Barnyard is run on the same platform that
> the Snort sensor resides on, there is no performance enhancement because
> the same box is doing both the sensing and the unified file output
> parsing. Is this true? If so, what methods are employed to get the
> unified files to another box?

This is not true. Unified output is much faster than other output
methods. Running barnyard on the same single processor system might have
some cost associated with the sensing instance but if you are running at
those speeds you should have a multiprocessor system for the task any
way. Moving the database to a different system is also a good idea if
you have high performance needs.

>  
> When I imported the snort schema inside the create_mysql file into Mysql
> v. 5.0.12 it choked on the table 'schema'. When I altered the table name
> before input to 'scheme' the snort database was created successfully and
> the database seemed usable, but I assume something will be unhappy at
> some point with the changed table name. Anyone run into this before?

This is the result of a change in Mysql that made schema a reserved
word. You need to surround schema in single ticks EG: 'schema' IIRC

>  
> One item in the project I am working on is providing access to sysadms
> of various subnets access to the Snort alerts pertaining to their
> subnets while not allowing them to see event information that pertains
> to subnets they do not control. These sysadms are using snort database
> access agents which are assuming to be provided a database name of form
> 'database.*' over which they will have SELECT access to all table to do
> various types of queries. Has anyone done anything similar and can give
> me general guidance on how to accomplish this? I assume that a 'view'
> would need to be created and a 'grant' to individual users which only
> give access based on the source an destination IP's falling into their
> domain. Having a little trouble figuring out if these is feasible scheme
> and what general syntax would look like.
>  

BASE may already be able to help you with this. If not adding the
support for user based restrictions on netblocks or sensor instance
should not be that hard.

> Thanks for any help that can be provided.




More information about the Snort-users mailing list