Snort mailing list archives
RE: Feature Request?
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Mon, 02 Jul 2001 10:53:55 -0700
I haven't looked at the latest stuff in cvs. Current version I'm running is: bash-2.03# /usr/local/bin/snort -V -*> Snort! <*- Version 1.8-beta5 (Build 24) By Martin Roesch (roesch () clark net, www.snort.org) I just checked out the new version from cvs and will give it a try (new db schema to implement) and see if the new schema also improves the speed of the db when it gets to > 1GB. -----Original Message----- From: Dragos Ruiu [mailto:dr () kyx net] Sent: Monday, July 02, 2001 10:33 To: Kevin Brown; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Feature Request? I dunno if it's a new feature request.... Marty's excellent new "barnyard" output system might achieve this already, and if not it will make building this in easy. Have you looked at the cvs code? --dr On Mon, 02 Jul 2001, Kevin Brown wrote:
I was wondering how hard it might be to implement something within snort
as
part of the logging features. The snort box that I run here connects to a remote database to log alerts. The problem is that for various reasons (firewall crashing, servers being rebooted, etc...) snort looses
connection
with the SQL db and then the snort process dies. A possible feature that could be useful for others who might be in a similar situation would be
some
way to cache the inserts until such a time as the server comes back online and then the data could be sent. This would be good as there wouldn't be
a
repeat of what happened this last week when I went on vacation and no one else checked on the snort box after the firewall locked up (the firewall sits between our 6 servers and the rest of the world, the snort box is out near the edge of the network). Begin Geek Code;
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c
^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72,@z=(64,72,$a^=12*($_%
16
-2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$
h
=5;$_=unxb24,join"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^ (($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;eval _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Feature Request? Kevin Brown (Jul 02)
- Re: Feature Request? Dragos Ruiu (Jul 02)
- Re: Feature Request? Chris Green (Jul 02)
- <Possible follow-ups>
- RE: Feature Request? Kevin Brown (Jul 02)
- RE: Feature Request? Kevin Brown (Jul 02)