Snort mailing list archives
Re: Snort.org Blog: Snort 2.9.1 beta coming soon!
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 13 Jun 2011 16:50:14 -0400
On Jun 13, 2011, at 2:16 PM, beenph wrote:
On Mon, Jun 13, 2011 at 12:45 PM, Joel Esler <jesler () sourcefire com> wrote: On Jun 13, 2011, at 12:13 PM, Russ Combs wrote:Does the HTTP, SMTP, etc. logging take place in its own thread, or does it block the detection thread?No - logging is in the main thread It is included in the unified2 output file, use the u2spewfoo tool included with Snort to see this. Barnyard2 developers (Snorby et all), if they want to to include this output in their tools, will have to update to handle this new output. JoelBarnyard2 currently do not log any of those Unified2ExtraDataHdr. But it will be able to process file where Unified2ExtraDataHdr are present. A consensus has to be made betwen frontend developper to determine how they would like to have Unified2ExtraDataHdr data stored in their datastore.
I'll tell you why I'm asking if there is interest in someone else maintaining the sql schema. The original schema and db output was written, literally, as a college project. Thesis project I think. (Along with ACID. The precursor to BASE. At Carnegie Mellon.) We agree that it's not very good (as you stated in your email). We (Sourcefire) don't have the cycles to maintain the structure, and we've been discussing EOL'ing the db output method for years. We'd like to standardize on our unified2 output structure, providing we continue to distribute u2spewfoo for developers and users to dump the data directly. Of course we wouldn't do this suddenly! We'd like to keep some of of the present output modules (binary, unified2, -A (fast, cmg, full, etc) maybe a couple more (I don't have the full list in front of me), but definitely EOL output modules like the DB method, and perhaps a couple more. I invite our developers to chime in with their thoughts as well. What does the community think of that? J ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 11)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Martin Holste (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Russ Combs (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! beenph (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! firnsy (Jun 14)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 14)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Randal T. Rioux (Jun 14)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 14)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! firnsy (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Steven Sturges (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Randal T. Rioux (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Russ Combs (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Martin Holste (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Martin Holste (Jun 13)