Snort mailing list archives
Re: Snort and Mysql for statistics purposes
From: David Jiménez Domínguez <djdsecurity () gmail com>
Date: Thu, 10 Mar 2005 01:03:09 -0600
I'm developing a data analysis interface with mod_perl and rrdtool, just like the Olaf's examples......I have read the documentation and even the maillist.... and It appears that ntop doesn't support log to mySQL anymore.... some users have reported problems and they have lost data with it.... for example: http://listgateway.unipi.it/pipermail/ntop/2005-February/009892.html ************************************************************** TOP 10 - the questions everyone asks... Q1(a). Can I store data in a SQL database? Q1(b). When ntop stops I lose all my data. Why? Q1(c). Why doesn't the -S option work? A. ntop used to optionally store some data in a SQL database. The code was broken, difficult to maintain, etc. and was removed. A LONG TIME AGO. If you are reading about this in 'some' documentation - update. Current ntop is 3.1, which is the only version we support. There are scripts that various users have offered to take the data dump and insert it into a SQL database. Search the back traffic on the mailing list for them. Yes, ntop uses memory based structures to hold usage data and they are lost when you reset or restart ntop. Persistent storage is in the RRD databases - there's a paper @ SourceForge that explains them. There was another option for some persistence - it was -S - look down about 5K lines in this FAQ for an article about it, "What was the -S option?". ********************************************************************** I'm trying to use Snort and I have just 4 rules in order to get all the traffic I need... log tcp $EXTERNAL_NET any -> $HOME_NET any log udp $EXTERNAL_NET any -> $HOME_NET any log icmp $EXTERNAL_NET any -> $HOME_NET any log ip $EXTERNAL_NET any -> $HOME_NET any In my snort.conf I used to use the following entry: output database: log, mysql, user=test password=test dbname=test host=XXX.XXX.XXX.XXX detail=fast But with this configuration, I couldn't get all the information I needed, just the following data: - timestamp - signature - source ip, - destination ip - source port - destination port - tcp flags - protocol But I need the ip_len column in order to graph the network activity in bytes... so I changed the entry to: output database: log, mysql, user=test password=test dbname=test host=XXX.XXX.XXX.XXX detail=full But this implies that I'm going to have a ton of useless data .....!!!! Do you have another option to do this kind of development????? ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and Mysql for statistics purposes David Jiménez Domínguez (Mar 08)
- Re: Snort and Mysql for statistics purposes Jose Maria Lopez Hernandez (Mar 09)
- Re: Snort and Mysql for statistics purposes sushant (Mar 09)
- Re: Snort and Mysql for statistics purposes Muhammad Omar Khan (Mar 11)
- Re: Snort and Mysql for statistics purposes Olaf Gellert (Mar 09)
- Re: Snort and Mysql for statistics purposes David Jiménez Domínguez (Mar 09)
- Re: Re: Snort and Mysql for statistics purposes Alejandro Flores (Mar 10)
- <Possible follow-ups>
- RE: Snort and Mysql for statistics purposes Snort (Mar 08)
- RE: Snort and Mysql for statistics purposes Bénoni MARTIN (Mar 09)
- RE: Snort and Mysql for statistics purposes Stark, John (Mar 09)
- RE: Re: Snort and Mysql for statistics purposes Snort (Mar 14)
- RE: Snort and Mysql for statistics purposes Bénoni MARTIN (Mar 21)