Re: barnyard to db

[Jed Pickel <jed () pickel net>]

On Mon, Oct 01, 2001 at 04:39:57PM -0700, Andrew R. Baker wrote:
> > is there any db support through barnyard?   I read the documentation, 
> > and other than through the traditional snort output to MYSQL
> > and other  unixodbc outputs, there was no mention of 
> > db output from barnyard.
>
> there are not currently any database output plugins available in barnyard.
>  I have contemplated porting Jed's database output plugin over to
> barnyard, but there are other things that need to be completed first.

Note that I made an attempt at porting the db plugin over to barnyard
beta2 a couple weeks ago and --- while I was able to get it partially
working there were some problems that do not have obvious solutions
(listed below). If you know of any simple workarounds or if any of
this is addressed in beta3 please let me know.

* The unified log format does not store any information about where 
  an event originated from (no host, interface, bpf filter string,
  etc); thus, the database plugin is not able to determine which 
  sensor the event data is associated with. There are ways around
  this, (eg. adding a new sensor each time barnyard executes, having a
  single sensor for barnyard, etc...) but they all involve tossing out
  the current notion of a sensor resulting in broken functionality in
  one or more of the analysis apps that use the current db format.

* User defined rules don't log any message. This comes from the fact
  that barnyard requires the use of the sid-msg.map file and that all
  user defined rules actually have a "sid". The obvious workaround is
  for users to maintain their rules in two places, but I personally am
  not in support of this. Any chance snort could auto-generate this
  file and auto-assign sid's for rules that don't have them?

* Alert / Log - I'm not interested in maintaining a separate database
  plugin for each logging facility. In beta2 there was no way to
  connect an output plugin to more than one input type. As it stands,
  I connect only to "log".

> > I noticed that in the lecture you gave at IO Wargames, 
> > you were mentioning 20,000 writes per 
> > second though barnyard, compared to +-800 with MYSQL output
> > plugin from snort, and was wondering if that was to a 
> > database, and if so, which one?  Is this something for the future?
>
> The benchmark mentioned was obtained using a high speed embedded database.
>  I will let Marty talk more about that if he wants to.

I've heard others mention these numbers. I am interested in seeing
some supporting data for this. Also, has anyone measured the
performance difference between barnyard and simply replaying pcap
through another instance of snort?

* Jed

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users