[Snort-users] v2.8.4 incorrect logging to MySQL

Jack Pepper pepperjack at ...14319...
Tue Apr 14 13:37:38 EDT 2009


I disagree vehemently.  I like the flexibility (warts and all) that  
comes with the current model.  It's true that high flexibility leads  
to high complexity which invariably leads to maintenance challenges.   
No argument there.

but to take away the flexibility and adaptability would damage the  
snort product.

Unified is good enough for reporting and charts, and all that blah  
blah blah.  but if you really want to build a security device around  
the snort detect engine, unified is too weak for real time response  
and analysis.  the unified model carries too much latency for real  
time processing.

the alternative to complexity is to choose either a limited, dumbed  
down product or a closed source product.  Both models (static  
deployability model and closed source model) have demonstrably failed  
to keep pace with the ingenuity and skill of our common adversary.   
simple tools suck.

jp

Quoting JJ Cummings <cummingsj at ...11827...>:

> /me raises hand.. "I"
>
> On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler at ...1935...> wrote:
>
>> Seconded.
>>
>>
>> On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik  
>> <jasonb at ...1935...>wrote:
>>
>>> Here is my vote to remove all output methods from the engine except
>>> unified, to remove the code complexity. People are much better off
>>> having two dedicated processes achieving a common goal than they are
>>> with the code complexity and issues in the one code base.
>>>
>>> On Tue, Apr 14, 2009 at 8:31 AM, James Lay <jlay at ...13475...>
>>> wrote:
>>> >
>>> >
>>> >
>>> > ________________________________
>>> > From: Ron Jenkins <rjenkins at ...14345...>
>>> > Date: Mon, 13 Apr 2009 09:21:09 -0500
>>> > To: 'Joel Esler' <jesler at ...1935...>
>>> > Cc: James Lay <jlay at ...13475...>, Snort
>>> > <snort-users at lists.sourceforge.net>
>>> > Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL
>>> >
>>> > We are backing down from v2.8.4 until the new version can successfully
>>> write
>>> > to the sensor and signature tables correctly.
>>> >
>>> > Until Soucrefire truly removes writing to the MySQL database and forces
>>> > unified logging we see no reason to change at this time.  Yes the new
>>> rule
>>> > changes are much wanted, but after reading on the mass issues on the
>>> snort
>>> > forums with the new version we are holding off on the update.
>>> >
>>> > Thanks
>>> >
>>> >
>>> >
>>> >
>>> > I have to chime in and second this.  Though Unified might be best, for
>>> > smaller shops, my perception is that barnyard is an added layer of
>>> > complexity.  I run snort at the house on OS X...pretty much to catch the
>>> > obvious dumb crap coming in from the outside world and to catch if the
>>> kids
>>> > machines get something naughty.  Again, larger shops where IDS is
>>> mission
>>> > critical should take the extra step, but small ones..eh...I?ve found
>>> that
>>> > logging direct to mysql works well enough.  My 0.02 I guess.
>>> >
>>> > James
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > This SF.net email is sponsored by:
>>> > High Quality Requirements in a Collaborative Environment.
>>> > Download a free trial of Rational Requirements Composer Now!
>>> > http://p.sf.net/sfu/www-ibm-com
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by:
>>> High Quality Requirements in a Collaborative Environment.
>>> Download a free trial of Rational Requirements Composer Now!
>>> http://p.sf.net/sfu/www-ibm-com
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list  
>>> archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list  
>> archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> --
>

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list