Snort mailing list archives
Re: Program that reads unified log format natively
From: Chris Green <cmg () sourcefire com>
Date: Fri, 24 Oct 2003 11:39:28 -0400
"Williams Jon" <WilliamsJonathan () JohnDeere com> writes:
This gets into one of the fundamental problems that I've had with barnyard in the first place. Today, we use snort to log directly to libpcap-format files locally and send the data across the net to the DB server. As I understand it, in order to have the same two functions (i.e. being able to use any libpcap-based tool to read the local files and data aggregation via the DB), I end up having to have nearly duplicate log files on my sensors, one in unified format that is then read and converted into libpcap. I understand the Snort Team's motiviation behind externalizing the log processing, but by choosing a proprietary format for the first pass, they've either doubled the amount of disk space I need for logs or made a feature that I won't use.
The proprietary format is because of the need to store event data. Otherwise, there are kludges that would work with libpcap based tools but look odd. The easiest pcap app to convert would be to write an input plugin for ethereal. If you make one, please send it to me :) The primary concern barnyard was written for was to allow output plugins to take variable amounts of time but let the IDS not block when something like the SQL server goes down without resorting to complicated threading -- Chris Green <cmg () sourcefire com> Eschew obfuscation. ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Program that reads unified log format natively Ben Nelson (Oct 22)
- <Possible follow-ups>
- RE: Program that reads unified log format natively Williams Jon (Oct 24)
- RE: Program that reads unified log format natively Erek Adams (Oct 24)
- Re: Program that reads unified log format natively Ben Nelson (Oct 29)
- Re: Program that reads unified log format natively Bamm Visscher (Oct 25)
- Re: Program that reads unified log format natively Chris Green (Oct 25)
- RE: Program that reads unified log format natively Erek Adams (Oct 24)