[Snort-users] v2.8.4 incorrect logging to MySQL

Jack Pepper pepperjack at ...14319...
Tue Apr 14 23:44:42 EDT 2009


Quoting Martin Roesch <roesch at ...1935...>:

> Jack Pepper:
>
> I believe the latency between detection and spooling to a database
> using the unified/Barnyard method is preferable to losing packets and
> missing detections altogether using the direct-to-database method.  We
> use Unified2 here at Sourcefire for our commercial devices.
>

Yeah, I don't use direct to DB either.  My earier comments were just  
to say that for a guy who has been programming real time embedded  
systems for 30 years, unified is not my thing.  not bad code, just not  
my cup of tea.  As I tell the young guys who come here, "any time you  
think loop polling for data sounds like a good idea, you have made a  
design error."  And using a flat file on a journaled file system as a  
spooling pipe is creepy.  it looks like ketchup on ice cream.  But  
that's just me.  If you want a pipe, why not use a pipe?

I happen to really like writing weird realtime multi-threaded apps  
with lots of IPC stuff embedded in them.  For my own use, I wrote a  
distributed correlator system wherein the snort output method writes  
to a shared memory handle where an external (non snort) process was  
waiting on the mutex. then it goes though a massively parallel system  
of "escalator" daemons that have a separate system and configuration  
elements for each type of event escalation (SMS, DB, text-to-skype  
(via festival), email, Full-Alert-Logging, tcpdump, syslog, etc) and  
each type of criticality.  It's my own beast and it works only as long  
as snort doesn't change the handoff from detect to output.  At the end  
of the escalation tree, everything goes to a remote DB on a central  
system where it gets mined for possible nuggets.  (The mining code  
does not work nearly as well as it sounds).


BTW Marty:  I have been a loyal snort user since 1.6 and I think that  
if you wrote the code then you have to answer only to yourself for  
what kind of licence you put on the code.  You should do what works  
for you.  thanks for snort.  Snort has made IDS and IPS real objects  
and not just sales blather.  The Snort community has much to be proud  
of as a model of how the open source community is supposed to work.   
If people disagree with your direction, they should start a fork.

jp


-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list