[Snort-users] v2.8.4 incorrect logging to MySQL

Paul Schmehl pschmehl_lists at ...14358...
Tue Apr 14 14:09:55 EDT 2009


--On Tuesday, April 14, 2009 12:15:12 -0500 Joel Esler <jesler at ...1935...> 
wrote:

> After talking with Jason, I am going to try and put some bandwidth into
> testing barnyard2.  See if it comes up for any of the short falls that
> barnyard1 had.  
>
>
> Are any of the barnyard2 developers on this list?  
>
>
> J
>
>
> On Tue, Apr 14, 2009 at 12:54 PM, Jason Wallace <jason.r.wallace at ...13704......>
> wrote:
>
> I'll bite...
>
> I'd throw in a vote for this too, but out of curiosity... why unified
> over unified2?
>
> Either way, before you could do that there would have to be an
> "official" tool to read the binary file and output it to other
> formats. By official I mean something supported, documented (right on
> the snort web site), and, maintained so we know it will be there
> tomorrow and doesn't fade off into nothing like barnyard.
>
> Right now there are 3 options:
>
> Barnyard: http://www.snort.org/dl/barnyard/
> - Works with unified but not unified2
> - abandon ware
> - DB connection issues
>
> Barnyard2: http://www.securixlive.com/barnyard2/index.php
> - Works with unified and unified2
> - I have seen the same DB connection issues as with barnyard
>
> SnortUnified.pm: http://code.google.com/p/snort-unified-perl/
> - Works but not very well documented (no disrespect meant Jason)
> - Not sure about the DB connection issue. I have tried to use this a
> couple of times, I'm not the best with perl so the lack of doc's left
> me scratching my head.
>
> I wouldn't call any of these official. Recommended, but not official.
>
> Wally
>
>
>
>
> On Tue, Apr 14, 2009 at 12:08 PM, JJ Cummings <cummingsj at ...11827...> wrote:
>> /me raises hand.. "I"
>>
>> On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler at ...1935...> wrote:
>>>
>>> Seconded.
>>>
>>> On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik <jasonb at ...1935...>
>>> wrote:
>>>>
>>>> Here is my vote to remove all output methods from the engine except
>>>> unified, to remove the code complexity. People are much better off
>>>> having two dedicated processes achieving a common goal than they are
>>>> with the code complexity and issues in the one code base.
>>>>
>>>> On Tue, Apr 14, 2009 at 8:31 AM, James Lay <jlay at ...13475...>
>>>> wrote:
>>>> >
>>>> >
>>>> >
>>>> > ________________________________
>>>> > From: Ron Jenkins <rjenkins at ...14345...>
>>>> > Date: Mon, 13 Apr 2009 09:21:09 -0500
>>>> > To: 'Joel Esler' <jesler at ...1935...>
>>>> > Cc: James Lay <jlay at ...13475...>, Snort
>>>> > <snort-users at lists.sourceforge.net>
>>>> > Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL
>>>> >
>>>> > We are backing down from v2.8.4 until the new version can successfully
>>>> > write
>>>> > to the sensor and signature tables correctly.
>>>> >
>>>> > Until Soucrefire truly removes writing to the MySQL database and forces
>>>> > unified logging we see no reason to change at this time.  Yes the new
>>>> > rule
>>>> > changes are much wanted, but after reading on the mass issues on the
>>>> > snort
>>>> > forums with the new version we are holding off on the update.
>>>> >
>>>> > Thanks
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > I have to chime in and second this.  Though Unified might be best, for
>>>> > smaller shops, my perception is that barnyard is an added layer of
>>>> > complexity.  I run snort at the house on OS X...pretty much to catch
>>>> > the
>>>> > obvious dumb crap coming in from the outside world and to catch if the
>>>> > kids
>>>> > machines get something naughty.  Again, larger shops where IDS is
>>>> > mission
>>>> > critical should take the extra step, but small ones..eh...I’ve found
>>>> > that
>>>> > logging direct to mysql works well enough.  My 0.02 I guess.
>>>> >
>>>> > James
>>>> >
>>>> >
>>>> > ------------------------------------------------------------------------
>>>> > ------ This SF.net email is sponsored by:
>>>> > High Quality Requirements in a Collaborative Environment.
>>>> > Download a free trial of Rational Requirements Composer Now!
>>>> > http://p.sf.net/sfu/www-ibm-com
>>>> > _______________________________________________
>>>> > Snort-users mailing list
>>>> > Snort-users at lists.sourceforge.net
>>>> > Go to this URL to change user options or unsubscribe:
>>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> > Snort-users list archive:
>>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> >
>>>>
>>>>
>>>> --------------------------------------------------------------------------
>>>> ---- This SF.net email is sponsored by:
>>>> High Quality Requirements in a Collaborative Environment.
>>>> Download a free trial of Rational Requirements Composer Now!
>>>> http://p.sf.net/sfu/www-ibm-com
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>
>>> --
>>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>>>
>>>
>>> ---------------------------------------------------------------------------
>>> --- This SF.net email is sponsored by:
>>> High Quality Requirements in a Collaborative Environment.
>>> Download a free trial of Rational Requirements Composer Now!
>>> http://p.sf.net/sfu/www-ibm-com
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>> --
>>
>>
>> ----------------------------------------------------------------------------
>> -- This SF.net email is sponsored by:
>> High Quality Requirements in a Collaborative Environment.
>> Download a free trial of Rational Requirements Composer Now!
>> http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

You've caught me by surprise.  As the port maintainer for barnyard (for 
FreeBSD), I was unaware that work was ongoing on a new version of barnyard. 
Furthermore, I didn't pick up the changes to unified output that were 
introduced in snort 2.8.

Is the barnyard2 project officially supported?  (Not that it matters for 
purposes of a port for FreeBSD.  It would only mean I would create a new port 
rather than update the existing one.)

What are the advantages of unified2 over unified?

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.





More information about the Snort-users mailing list