Snort mailing list archives
Re: Sanity check for high volume logging
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 08 Jan 2002 23:11:18 -0500
Zarathustra Ubermensch wrote:
Hello, Config: snort 1.8.1 running under Solaris 8 (netra t1) with mysql 3.23 I'm currently monitoring some pretty high traffic levels and am logging them to mysql with the following command lines in my snort.conf output database: log, mysql, user=mysql sensor_name=sensor.company.com dbname=snort host=localhost output database: alert, mysql, user=mysql sensor_name=sensor.company.com dbname=snort host=localhost Performance is lacking, so I'd like to switch to binary logging by using something like "output log_tcpdump: sensor.company.com-tcpdump.log" My questions: 1. Will this capture both "log" and "alert" information similar to the way in which my current mysql config works? ie Will I get the same data regardless of the logging mechanism (tcpdump or mysql)?
The tcpdump logging mechanism logs the binary packets straight from the wire, that's all you get. You have to match the packets back up with the alerts later. Please note, logs != alerts in Snort, alerts tell you something interesting has happened, logs let you see what it was.
2. I'd still like to aggregate this data to a much beefier database server for long term trend analysis. Can I use a different snort.conf file that uses "output database" configs and simply replay the tcpdump logs against that snort.conf to populate the database?
Yes. You might also want to check out the new unified logging format and barnyard, they're The Future when it comes to Snort logging and high performance. -Marty -- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sanity check for high volume logging Zarathustra Ubermensch (Jan 07)
- Re: Sanity check for high volume logging Martin Roesch (Jan 08)