[Snort-users] v2.8.4 incorrect logging to MySQL
pepperjack at ...14319...
Tue Apr 14 23:44:42 EDT 2009
Quoting Martin Roesch <roesch at ...1935...>:
> Jack Pepper:
> I believe the latency between detection and spooling to a database
> using the unified/Barnyard method is preferable to losing packets and
> missing detections altogether using the direct-to-database method. We
> use Unified2 here at Sourcefire for our commercial devices.
Yeah, I don't use direct to DB either. My earier comments were just
to say that for a guy who has been programming real time embedded
systems for 30 years, unified is not my thing. not bad code, just not
my cup of tea. As I tell the young guys who come here, "any time you
think loop polling for data sounds like a good idea, you have made a
design error." And using a flat file on a journaled file system as a
spooling pipe is creepy. it looks like ketchup on ice cream. But
that's just me. If you want a pipe, why not use a pipe?
I happen to really like writing weird realtime multi-threaded apps
with lots of IPC stuff embedded in them. For my own use, I wrote a
distributed correlator system wherein the snort output method writes
to a shared memory handle where an external (non snort) process was
waiting on the mutex. then it goes though a massively parallel system
of "escalator" daemons that have a separate system and configuration
elements for each type of event escalation (SMS, DB, text-to-skype
(via festival), email, Full-Alert-Logging, tcpdump, syslog, etc) and
each type of criticality. It's my own beast and it works only as long
as snort doesn't change the handoff from detect to output. At the end
of the escalation tree, everything goes to a remote DB on a central
system where it gets mined for possible nuggets. (The mining code
does not work nearly as well as it sounds).
BTW Marty: I have been a loyal snort user since 1.6 and I think that
if you wrote the code then you have to answer only to yourself for
what kind of licence you put on the code. You should do what works
for you. thanks for snort. Snort has made IDS and IPS real objects
and not just sales blather. The Snort community has much to be proud
of as a model of how the open source community is supposed to work.
If people disagree with your direction, they should start a fork.
Framework? I don't need no stinking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
More information about the Snort-users