Snort mailing list archives

Re: Queuing MSSQL log data without Barnyard

From: Chris Green <cmg () uab edu>
Date: Mon, 24 Sep 2001 10:53:58 -0500

"Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil> writes:

Just an idea for anyone that is interested; feedback appreciated.

In the absence of Barnyard, I am toying with the following scenario:

*  Central DB: Win2k, MSSQL Standard, with Replication components installed
*  Snort sensor(s): Win2k, MSSQL _Personal_, Snort configured to log to
itself

*  The sensors would then be set up to replicate their local Snort DB the
Central DB, in a push only scenario.
*  All traffic between sensors and Central DB would be secured with IPSec.
*  MSSQL Replication would be handled in a queuing fashion.
*  No more problems with downtime of Central DB, as Sensors are logging to
themselves.


SQL insertion is a slow operation compared to network wirespeed.   One
thing that you may consider doing is binary logging and then use
another instance of snort to do the logging to the local database.

When DB support is available for barnyard, you  may also just consider
doing that exact same scenario with barnyard pushing to local db.
-- 
Chris Green <cmg () uab edu>
A watched process never cores.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Queuing MSSQL log data without Barnyard Burleson, Lee (IA) (Sep 24)
- Re: Queuing MSSQL log data without Barnyard Chris Green (Sep 24)
- <Possible follow-ups>
- RE: Queuing MSSQL log data without Barnyard Burleson, Lee (IA) (Sep 24)
  - Re: Queuing MSSQL log data without Barnyard Chris Green (Sep 24)