[Snort-users] Load snort alert to database without barnyard2

wkitty42 at ...14940... wkitty42 at ...14940...
Mon Feb 20 21:59:27 EST 2017


On 02/20/2017 02:26 PM, Paul Li wrote:
> My use cases of Snort don't generate u2 log files very time: some time it
> generates .log log files. But I still need load all the alerts to database.
> Looks like after Snort 2.9.3, the database plugin is removed. Wondering is there
> any other ways to load alerts to database without using Barnyard2?

without using barnyard2? no... not that *i'm* aware of... you could write your 
own U2 parser and use that to populate your database... see? here's the thing... 
the reason that the snort direct database thing was abandoned was because if 
there was a problem reaching the database or writing to it, snort would hang and 
miss processing traffic... by getting rid of that task, snort has more time to 
monitor and analyze the network traffic... it can write to the U2 log as long as 
t wants to... then it is up to another tool, like barnyard2 or your own 
concoction, to handle the reading of the U2 and importing it into the database 
in its own time... all without stopping snort...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list