Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Feature Request?

From: Dragos Ruiu <dr () kyx net>
Date: Mon, 2 Jul 2001 10:32:53 -0700
I dunno if it's a new feature request.... Marty's excellent new "barnyard"
output system might achieve this already, and if not it will make building
this in easy.  Have you looked at the cvs code?

--dr


On Mon, 02 Jul 2001, Kevin Brown wrote:

I was wondering how hard it might be to implement something within snort as
part of the logging features.  The snort box that I run here connects to a
remote database to log alerts.  The problem is that for various reasons
(firewall crashing, servers being rebooted, etc...) snort looses connection
with the SQL db and then the snort process dies.  A possible feature that
could be useful for others who might be in a similar situation would be some
way to cache the inserts until such a time as the server comes back online
and then the data could be sent.  This would be good as there wouldn't be a
repeat of what happened this last week when I went on vacation and no one
else checked on the snort box after the firewall locked up (the firewall
sits between our 6 servers and the rest of the world, the snort box is out
near the edge of the network).

Begin Geek Code;
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c
^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72,@z=(64,72,$a^=12*($_%
16
-2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$
h
=5;$_=unxb24,join"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;eval

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: