Snort mailing list archives

Re: Sanity check for high volume logging

From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 08 Jan 2002 23:11:18 -0500

Zarathustra Ubermensch wrote:


Hello,
Config: snort 1.8.1 running under Solaris 8 (netra t1) with mysql 3.23

I'm currently monitoring some pretty high traffic levels and am logging them
to mysql with the following command lines in my snort.conf

output database: log, mysql, user=mysql sensor_name=sensor.company.com
dbname=snort host=localhost

output database: alert, mysql, user=mysql sensor_name=sensor.company.com
dbname=snort host=localhost

Performance is lacking, so I'd like to switch to binary logging by using
something like "output log_tcpdump: sensor.company.com-tcpdump.log"

My questions:
1. Will this capture both "log" and "alert" information similar to the way
in which my current mysql config works? ie Will I get the same data
regardless of the logging mechanism (tcpdump or mysql)?


The tcpdump logging mechanism logs the binary packets straight from the
wire, that's all you get.  You have to match the packets back up with
the alerts later.  Please note, logs != alerts in Snort, alerts tell you
something interesting has happened, logs let you see what it was.

2. I'd still like to aggregate this data to a much beefier database server
for long term trend analysis. Can I use a different snort.conf file that
uses "output database" configs and simply replay the tcpdump logs against
that snort.conf to populate the database?


Yes.

You might also want to check out the new unified logging format and
barnyard, they're The Future when it comes to Snort logging and high
performance.

     -Marty


--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Sanity check for high volume logging Zarathustra Ubermensch (Jan 07)
- Re: Sanity check for high volume logging Martin Roesch (Jan 08)