[Snort-users] v2.8.4 incorrect logging to MySQL

Randal T. Rioux randy at ...13561...
Tue Apr 14 16:14:24 EDT 2009


I've brought up the issue many times here. I started to develop my own
version when Firnsy over at Securix let me know their intentions. I left
the issue because it looked like they had a good thing (and still do).

http://www.securixlive.com/barnyard2/index.php

I'm still working on a different type of replacement that supports more
databases. There's a few things in front of the que right now, but I'd
like to have something done by summer.

I just don't like the idea of a product/company saying "only use this
module" when that module is abandoned. If you truly are removing direct DB
output, then dedicate a resource or two to a "supported" output parser for
unified2 (which is what I'm focused on).

Randy


On Tue, April 14, 2009 1:15 pm, Joel Esler wrote:
> After talking with Jason, I am going to try and put some bandwidth into
> testing barnyard2.  See if it comes up for any of the short falls that
> barnyard1 had. Are any of the barnyard2 developers on this list?
>
> J
>
> On Tue, Apr 14, 2009 at 12:54 PM, Jason Wallace
> <jason.r.wallace at ...11827...>wrote:
>
>> I'll bite...
>>
>> I'd throw in a vote for this too, but out of curiosity... why unified
>> over unified2?
>>
>> Either way, before you could do that there would have to be an
>> "official" tool to read the binary file and output it to other formats.
>> By official I mean something supported, documented (right on the snort
>> web site), and, maintained so we know it will be there tomorrow and
>> doesn't fade off into nothing like barnyard.
>>
>> Right now there are 3 options:
>>
>> Barnyard: http://www.snort.org/dl/barnyard/ - Works with unified but
>> not unified2 - abandon ware - DB connection issues
>>
>> Barnyard2: http://www.securixlive.com/barnyard2/index.php - Works with
>> unified and unified2 - I have seen the same DB connection issues as
>> with barnyard
>>
>> SnortUnified.pm: http://code.google.com/p/snort-unified-perl/ - Works
>> but not very well documented (no disrespect meant Jason) - Not sure
>> about the DB connection issue. I have tried to use this a couple of
>> times, I'm not the best with perl so the lack of doc's left me
>> scratching my head.
>>
>> I wouldn't call any of these official. Recommended, but not official.
>>
>> Wally
>>
>> On Tue, Apr 14, 2009 at 12:08 PM, JJ Cummings <cummingsj at ...11827...>
>> wrote:
>>> /me raises hand.. "I"
>>>
>>> On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler at ...1935...>
>> wrote:
>>>>
>>>> Seconded.
>>>>
>>>> On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik
>> <jasonb at ...1935...>
>>>> wrote:
>>>>>
>>>>> Here is my vote to remove all output methods from the engine
>>>>> except unified, to remove the code complexity. People are much
>>>>> better off having two dedicated processes achieving a common goal
>>>>> than they are with the code complexity and issues in the one code
>>>>> base.
>>>>>
>>>>> On Tue, Apr 14, 2009 at 8:31 AM, James Lay
>> <jlay at ...13475...>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________ From: Ron Jenkins
>>>>>> <rjenkins at ...14345...> Date: Mon, 13 Apr 2009 09:21:09 -0500 To:
>>>>>> 'Joel Esler' <jesler at ...1935...> Cc: James Lay
>>>>>> <jlay at ...13475...>, Snort
>>>>>> <snort-users at lists.sourceforge.net> Subject: RE: [Snort-users]
>>>>>> v2.8.4 incorrect logging to MySQL
>>>>>>
>>>>>> We are backing down from v2.8.4 until the new version can
>> successfully
>>>>>> write to the sensor and signature tables correctly.
>>>>>>
>>>>>> Until Soucrefire truly removes writing to the MySQL database
>>>>>> and
>> forces
>>>>>> unified logging we see no reason to change at this time.  Yes
>>>>>> the
>> new
>>>>>> rule changes are much wanted, but after reading on the mass
>>>>>> issues on
>> the
>>>>>> snort forums with the new version we are holding off on the
>>>>>> update.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have to chime in and second this.  Though Unified might be
>>>>>> best,
>> for
>>>>>> smaller shops, my perception is that barnyard is an added layer
>>>>>> of complexity.  I run snort at the house on OS X...pretty much
>>>>>> to
>> catch
>>>>>> the obvious dumb crap coming in from the outside world and to
>>>>>> catch if
>> the
>>>>>> kids machines get something naughty.  Again, larger shops where
>>>>>> IDS is mission critical should take the extra step, but small
>>>>>> ones..eh...I’ve
>> found
>>>>>> that logging direct to mysql works well enough.  My 0.02 I
>>>>>> guess.
>>>>>>
>>>>>> James
>>>>>>
>>>>>>
>>>>>>
>> -----------------------------------------------------------------------
>> -------
>>>>>> This SF.net email is sponsored by: High Quality Requirements in
>>>>>> a Collaborative Environment. Download a free trial of Rational
>>>>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>>>>> _______________________________________________ Snort-users
>>>>>> mailing list Snort-users at lists.sourceforge.net Go to this URL
>>>>>> to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>
>>>>>
>>>>>
>>>>>
>> -----------------------------------------------------------------------
>> -------
>>>>> This SF.net email is sponsored by: High Quality Requirements in a
>>>>> Collaborative Environment. Download a free trial of Rational
>>>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>>>> _______________________________________________ Snort-users
>>>>> mailing list Snort-users at lists.sourceforge.net Go to this URL to
>>>>> change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>>
>>>>
>>>> -- joel esler | Sourcefire | gtalk: jesler at ...1935... |
>>>> 302-223-5974
>>>>
>>>>
>>>>
>> -----------------------------------------------------------------------
>> -------
>>>> This SF.net email is sponsored by: High Quality Requirements in a
>>>> Collaborative Environment. Download a free trial of Rational
>>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>>> _______________________________________________ Snort-users mailing
>>>> list Snort-users at lists.sourceforge.net Go to this URL to change
>>>> user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>> -----------------------------------------------------------------------
>> -------
>>> This SF.net email is sponsored by: High Quality Requirements in a
>>> Collaborative Environment. Download a free trial of Rational
>>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>>> _______________________________________________ Snort-users mailing
>>> list Snort-users at lists.sourceforge.net Go to this URL to change user
>>> options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>>> list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>> -----------------------------------------------------------------------
>> ------- This SF.net email is sponsored by: High Quality Requirements in
>> a Collaborative Environment. Download a free trial of Rational
>> Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
>> _______________________________________________ Snort-users mailing
>> list Snort-users at lists.sourceforge.net Go to this URL to change user
>> options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
>> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> -- joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
> -------------------------------------------------------------------------
> ----- This SF.net email is sponsored by: High Quality Requirements in a
> Collaborative Environment. Download a free trial of Rational Requirements
> Composer Now!
> http://p.sf.net/sfu/www-ibm-com__________________________________________
> _____ Snort-users mailing list Snort-users at lists.sourceforge.net Go to
> this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
> archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list