Snort mailing list archives

RE: Queuing MSSQL log data without Barnyard

From: "Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil>
Date: Mon, 24 Sep 2001 11:39:05 -0500

Chris -

I didn't realize that a db write would cause Snort to drop packets.  If so,
I will have to keep an eye on it. -see question below-  Currently the
sensors are logging directly to the central MSSQL DB over IPSec - I did not
see any packet loss in my trials.  If processor utilization has anything to
do with it, I have _lots_ of cycles to spare.  Hopefully logging to a local
DB would keep loss to a minimum.

Question: How does one, in Win32, cause Snort to give statistics on demand?
I seem to remember that one can send a signal to the Snort process in *n?x
to achieve this, but I see no Win32 equivalent.

- Lee

-----Original Message-----
From: Chris Green [mailto:cmg () uab edu]
Sent: Monday, September 24, 2001 10:54
To: Burleson, Lee (IA)
Cc: Snort-Users (E-mail)
Subject: Re: [Snort-users] Queuing MSSQL log data without Barnyard


"Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil> writes:

Just an idea for anyone that is interested; feedback appreciated.

In the absence of Barnyard, I am toying with the following scenario:

*  Central DB: Win2k, MSSQL Standard, with Replication

components installed

*  Snort sensor(s): Win2k, MSSQL _Personal_, Snort

configured to log to

itself

*  The sensors would then be set up to replicate their

local Snort DB the

Central DB, in a push only scenario.
*  All traffic between sensors and Central DB would be

secured with IPSec.

*  MSSQL Replication would be handled in a queuing fashion.
*  No more problems with downtime of Central DB, as Sensors

are logging to

themselves.


SQL insertion is a slow operation compared to network wirespeed.   One
thing that you may consider doing is binary logging and then use
another instance of snort to do the logging to the local database.

When DB support is available for barnyard, you  may also just consider
doing that exact same scenario with barnyard pushing to local db.
-- 
Chris Green <cmg () uab edu>
A watched process never cores.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Queuing MSSQL log data without Barnyard Burleson, Lee (IA) (Sep 24)
- Re: Queuing MSSQL log data without Barnyard Chris Green (Sep 24)
- <Possible follow-ups>
- RE: Queuing MSSQL log data without Barnyard Burleson, Lee (IA) (Sep 24)
  - Re: Queuing MSSQL log data without Barnyard Chris Green (Sep 24)