[Snort-users] v2.8.4 incorrect logging to MySQL

Danny Paul JDPAUL at ...14549...
Tue Apr 14 13:01:25 EDT 2009


I'd say that there are always going to be opinions on both sides of the
issue. If the developers feel that they need to abandon it on the
grounds that it will free development time for other issues then I
support them in that.

That being said, as long as snort has a functioning DB output, and as
long as it continues to work for my environment, I will continue to use
it.




>>> On 4/14/2009 at 11:53 AM, in message
<910b913d0904140953i2ce8bcg365d2a8eb8a6b240 at ...11828...>,
<jasonb at ...1935...> wrote:
> There are a few things I don't think you are considering.
> 
> 1) DB writes are blocking, the engine cannot inspect packets while
it
> writes to DB.
> 2) Running a DB on the same system is not a design goal for
something
> that needs to react near real-time, it should be offloaded.
> 3) Direct disk writes are much faster than DB writes, in any
environment.
> 4) Other output methods are not going to be regression tested as
often
> and are prone to break.
> 
> 
> On Tue, Apr 14, 2009 at 12:34 PM, Danny Paul
<JDPAUL at ...14548...> wrote:
>> Thumbs down. Nay.
>>
>> I installed barnyard yesterday to overcome the bug and discovered
that
>> my load more than doubled. I don't need the increased complexity of
>> barnyard and disagree completely with the notion that it is more
>> efficient to write the alert to disk twice (snort->unified, then
>> unified->DB) vs once (snort->DB). In an environment where CPUs are
fast
>> and RAM is plentiful but you are I/O bound (which will probably a
lot
>> servers) why would you want to write data more often than
necessary?
>>
>> Better yet, the DB backend allows you to offload your logging to
>> another server freeing up more of the sensor's capacity. I simply do
not
>> see the advantage and emplore the snort developers to continue
>> development of multiple backends.
>>
>>
>>
>>>>> On 4/14/2009 at 11:08 AM, in message
>> <1c79c7b70904140908v64967a68uf5048ebedada2ef1 at ...11828...>,
>> <cummingsj at ...11827...> wrote:
>>> /me raises hand.. "I"
>>>
>>> On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler
<jesler at ...1935...>
>> wrote:
>>>
>>>> Seconded.
>>>>
>>>>
>>>> On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik
>> <jasonb at ...1935...>wrote:
>>>>
>>>>> Here is my vote to remove all output methods from the engine
>> except
>>>>> unified, to remove the code complexity. People are much better
off
>>>>> having two dedicated processes achieving a common goal than they
>> are
>>>>> with the code complexity and issues in the one code base.
>>>>>
>>>>> On Tue, Apr 14, 2009 at 8:31 AM, James Lay
>> <jlay at ...13475...>
>>>>> wrote:
>>>>> >
>>>>> >
>>>>> >
>>>>> > ________________________________
>>>>> > From: Ron Jenkins <rjenkins at ...14345...>
>>>>> > Date: Mon, 13 Apr 2009 09:21:09 -0500
>>>>> > To: 'Joel Esler' <jesler at ...1935...>
>>>>> > Cc: James Lay <jlay at ...13475...>, Snort
>>>>> > <snort-users at lists.sourceforge.net>
>>>>> > Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL
>>>>> >
>>>>> > We are backing down from v2.8.4 until the new version can
>> successfully
>>>>> write
>>>>> > to the sensor and signature tables correctly.
>>>>> >
>>>>> > Until Soucrefire truly removes writing to the MySQL database
and
>> forces
>>>>> > unified logging we see no reason to change at this time.  Yes
the
>> new
>>>>> rule
>>>>> > changes are much wanted, but after reading on the mass issues
on
>> the
>>>>> snort
>>>>> > forums with the new version we are holding off on the update.
>>>>> >
>>>>> > Thanks
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > I have to chime in and second this.  Though Unified might be
>> best, for
>>>>> > smaller shops, my perception is that barnyard is an added
layer
>> of
>>>>> > complexity.  I run snort at the house on OS X...pretty much to
>> catch the
>>>>> > obvious dumb crap coming in from the outside world and to
catch
>> if the
>>>>> kids
>>>>> > machines get something naughty.  Again, larger shops where IDS
>> is
>>>>> mission
>>>>> > critical should take the extra step, but small
ones..eh...I’ve
>> found
>>>>> that
>>>>> > logging direct to mysql works well enough.  My 0.02 I guess.
>>>>> >
>>>>> > James
>>>>> >
>>>>> >
>>>>>
>>
------------------------------------------------------------------------------
>>>>> > This SF.net email is sponsored by:
>>>>> > High Quality Requirements in a Collaborative Environment.
>>>>> > Download a free trial of Rational Requirements Composer Now!
>>>>> > http://p.sf.net/sfu/www-ibm-com 
>>>>> > _______________________________________________
>>>>> > Snort-users mailing list
>>>>> > Snort-users at lists.sourceforge.net 
>>>>> > Go to this URL to change user options or unsubscribe:
>>>>> > https://lists.sourceforge.net/lists/listinfo/snort-users 
>>>>> > Snort-users list archive:
>>>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>>>>> >
>>>>>
>>>>>
>>>>>
>>
------------------------------------------------------------------------------
>>>>> This SF.net email is sponsored by:
>>>>> High Quality Requirements in a Collaborative Environment.
>>>>> Download a free trial of Rational Requirements Composer Now!
>>>>> http://p.sf.net/sfu/www-ibm-com 
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net 
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>>>>>
>>>Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-user

>>
>>> s>list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> joel esler | Sourcefire | gtalk: jesler at ...1935... |
>> 302-223-5974
>>>>
>>>>
>>>>
>>
------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by:
>>>> High Quality Requirements in a Collaborative Environment.
>>>> Download a free trial of Rational Requirements Composer Now!
>>>> http://p.sf.net/sfu/www-ibm-com 
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net 
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>>>>
>>>Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-user

>>
>>> s>list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>>>>
>>>
>>>
>>>
>>> --
>>
>> ** Virus scanned by City of Columbia MO Email Firewall **
>>
>>
------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net 
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users

** Virus scanned by City of Columbia MO Email Firewall **




More information about the Snort-users mailing list