[Snort-users] snort and mysql5 losing db connection

Bamm Visscher bamm.visscher at ...11827...
Thu Jun 14 13:00:49 EDT 2007


Werd. I hadn't reallized you finished the log piece (or I at least
convienently forgot).

A supported (actively maintained and documented) unified file reader
is definately needed. If it could support the various output types
that snort (and barnyard) currently do, things would be swell.  Oh,
and can you port it to Tcl too ;)

Bammkkkk


On 6/14/07, Jason Brvenik <jasonb at ...1935...> wrote:
> Both.
>
> Bamm Visscher wrote:
> > Jason,
> >
> > Is this for unified alert, log, or both?
> >
> > Bammkkkk
> >
> >
> > On 6/14/07, Jason Brvenik <jasonb at ...1935...> wrote:
> >
> >> Interesting that this topic comes up.
> >>
> >> I wrote a perl module for handling unified files for just these reasons
> >> (and many more) it currently lives at:
> >>
> >> http://cerberus.sourcefire.com/~jbrvenik/unified_perl
> >>
> >> It fully handles unified files and is portable across platforms and
> >> handles big/little endian issues and 64bit unified files too.
> >>
> >> It would not take much work to make the db code a direct replacement for
> >> barnyard.
> >>
> >> http://cerberus.sourcefire.com/~jbrvenik/unified_perl/ufdbtest.pl
> >>
> >> So... some questions for the community.
> >>
> >> - What is the interest in having a direct barnyard replacement?
> >> - Anyone interested in taking a stab at it?
> >> - What other capabilities are desired (I know you want ppp support, Richard)
> >> - Anyone want to take up documenting it?
> >>
> >>
> >>
> >>
> >>
> >> Jeff Dell wrote:
> >>
> >>> Richard,
> >>>
> >>> I couldn't agree with you more, but I think this is partially to do with
> >>> barnyard and not the users. Here are a few reasons why I think this is
> >>> happening...
> >>>
> >>> o. Barnyard hasn't been updated in 3 years. It could be thought that
> >>> something this old is no longer supported. (I know it is stable and
> >>> working.. so no need to upgrade)
> >>> o. Barnyard isn't available on snort.org as a binary package which makes it
> >>> harder for some people to install.
> >>> o. Not supported on all OS's. one being Windows.
> >>> o. The barnyard email list gets more spam then real email.
> >>> o. Lack of documentation how to install snort with barnyard. Even in the
> >>> online manual at snort.org doesn't talk about how to do this.
> >>>
> >>> I would bet that most people don't use barnyard even though Snort should not
> >>> be used without it.
> >>>
> >>> Cheers,
> >>> Jeff
> >>>
> >>> -----Original Message-----
> >>> From: snort-users-bounces at lists.sourceforge.net
> >>> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Richard
> >>> Bejtlich
> >>> Sent: Thursday, June 14, 2007 9:41 AM
> >>> To: j.greg.k at ...11827...; snort-users at lists.sourceforge.net
> >>> Subject: Re: [Snort-users] snort and mysql5 losing db connection
> >>>
> >>> Greg King wrote:
> >>>
> >>>
> >>>> Another thread back in 2005 mentioned to use barnyard and not the sql
> >>>> connector. That is not an option for base and probably would fail with
> >>>>
> >>> aanval
> >>>
> >>>> users as well.
> >>>>
> >>> Why is Barnyard not an option for BASE users?  Using Barnyard is your
> >>> best option.  Direct logging from Snort to MySQL has been a bad idea
> >>> for about six years now, but like SQL Slammer it seems to always be
> >>> with us...
> >>>
> >>> Sincerely,
> >>>
>
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list