Snort mailing list archives
Re: v2.8.4 incorrect logging to MySQL
From: "Danny Paul" <JDPAUL () GoColumbiaMO com>
Date: Tue, 14 Apr 2009 12:01:25 -0500
I'd say that there are always going to be opinions on both sides of the issue. If the developers feel that they need to abandon it on the grounds that it will free development time for other issues then I support them in that. That being said, as long as snort has a functioning DB output, and as long as it continues to work for my environment, I will continue to use it.
On 4/14/2009 at 11:53 AM, in message
<910b913d0904140953i2ce8bcg365d2a8eb8a6b240 () mail gmail com>, <jasonb () sourcefire com> wrote:
There are a few things I don't think you are considering. 1) DB writes are blocking, the engine cannot inspect packets while
it
writes to DB. 2) Running a DB on the same system is not a design goal for
something
that needs to react near real-time, it should be offloaded. 3) Direct disk writes are much faster than DB writes, in any
environment.
4) Other output methods are not going to be regression tested as
often
and are prone to break. On Tue, Apr 14, 2009 at 12:34 PM, Danny Paul
<JDPAUL () gocolumbiamo com> wrote:
Thumbs down. Nay. I installed barnyard yesterday to overcome the bug and discovered
that
my load more than doubled. I don't need the increased complexity of barnyard and disagree completely with the notion that it is more efficient to write the alert to disk twice (snort->unified, then unified->DB) vs once (snort->DB). In an environment where CPUs are
fast
and RAM is plentiful but you are I/O bound (which will probably a
lot
servers) why would you want to write data more often than
necessary?
Better yet, the DB backend allows you to offload your logging to another server freeing up more of the sensor's capacity. I simply do
not
see the advantage and emplore the snort developers to continue development of multiple backends.On 4/14/2009 at 11:08 AM, in message<1c79c7b70904140908v64967a68uf5048ebedada2ef1 () mail gmail com>, <cummingsj () gmail com> wrote:/me raises hand.. "I" On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler
<jesler () sourcefire com>
wrote:Seconded. On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik<jasonb () sourcefire com>wrote:Here is my vote to remove all output methods from the engineexceptunified, to remove the code complexity. People are much better
off
having two dedicated processes achieving a common goal than theyarewith the code complexity and issues in the one code base. On Tue, Apr 14, 2009 at 8:31 AM, James Lay<jlay () slave-tothe-box net>wrote:________________________________ From: Ron Jenkins <rjenkins () rmjcs net> Date: Mon, 13 Apr 2009 09:21:09 -0500 To: 'Joel Esler' <jesler () sourcefire com> Cc: James Lay <jlay () slave-tothe-box net>, Snort <snort-users () lists sourceforge net> Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL We are backing down from v2.8.4 until the new version cansuccessfullywriteto the sensor and signature tables correctly. Until Soucrefire truly removes writing to the MySQL database
and
forcesunified logging we see no reason to change at this time. Yes
the
newrulechanges are much wanted, but after reading on the mass issues
on
thesnortforums with the new version we are holding off on the update. Thanks I have to chime in and second this. Though Unified might bebest, forsmaller shops, my perception is that barnyard is an added
layer
ofcomplexity. I run snort at the house on OS X...pretty much tocatch theobvious dumb crap coming in from the outside world and to
catch
if thekidsmachines get something naughty. Again, larger shops where IDSismissioncritical should take the extra step, but small
ones..eh...I’ve
foundthatlogging direct to mysql works well enough. My 0.02 I guess. James
------------------------------------------------------------------------------
This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-user
s>list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com |302-223-5974
------------------------------------------------------------------------------
This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-user
s>list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users--** Virus scanned by City of Columbia MO Email Firewall **
------------------------------------------------------------------------------
This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
** Virus scanned by City of Columbia MO Email Firewall ** ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: view alerts in base, (continued)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Seth Art (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Ryan Jordan (Apr 22)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL JJ Cummings (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 14)