Re: Compiling with mysql & mssql support

[David.Ryan () Quintiles com]

Richard,

Thanks for the reply.  From my (limited) knowledge of Barnyard it only 
seems to have output plugins for mysql and postgresql.  I have tried 
looking at various websites to see if there is an mssql plugin but I 
haven't found positive confirmation yet.  Are there other unifed output 
processors I could also consider ?

I understand that the optimal setup would be to have Snort monitoring 
traffic and passing events to Barnyard which logs the transactions to a 
database.  My main aim is to have stand-alone probes running Snort (and 
Barnyard probably) with one single central database containing all the 
events from all the probes.  My DB people have an available, managed, 
backed-up, redundant MSSQL database environment, so I am aiming to use 
their environment - this will have the benefit of removing any operational 
database concerns from me and leave me to concentrate on the IDS end.

Does this model make sense to others ?  It makes sense to me because it 
leaves the probes to do the monitoring and has a dedicated DB server 
handle the processing for all the events.

David
=================================
David Ryan
IT Security Engineer, Global IT Security
Quintiles, Global IT - Infrastructure, QDUB

david.ryan () quintiles com
v:  +353-1-819-5186, GMT+0
m: +353-87-124-9108
=================================



"Richard Bejtlich" <taosecurity () gmail com> 
13/04/2007 15:28

To
snort-users () lists sourceforge net
cc
David.Ryan () Quintiles com
Subject
Re: [Snort-users] Compiling with mysql & mssql support






David Ryan wrote:

> Hi All,
>
> I currently have snort compiled with mysql support and it is logging
> correctly, but I am looking at changing the logging to point at a 
central
> MS SQL server.  Until I know it works I don't want to totally ditch the
> mysql logging.

Hi David,

This isn't going to answer your question, but I think others would
agree it should be said.  Snort logging directly to any database in
production is a bad idea.  You should log to unified output and then
use one of the many unified output readers to perform the database
inserts.

Sincerely,

Richard


**********************  IMPORTANT--PLEASE READ  ************************
This electronic message, including its attachments, is COMPANY CONFIDENTIAL
and may contain PROPRIETARY or LEGALLY PRIVILEGED information.  If you are 
not the intended recipient, you are hereby notified that any use, disclosure,
copying, or distribution of this message or any of the information included
in it is unauthorized and strictly prohibited.  If you have received this
message in error, please immediately notify the sender by reply e-mail and
permanently delete this message and its attachments, along with any copies
thereof. If this electronic message contains a zipped attachment and you do
not have a decompression tool, you may download unZIP (free of cost) from:
http://www.mk-net-work.com/us/uz/unzip.htm. Alternatively, you may request
that the attachment be resent in an uncompressed format.        Thank you. 
************************************************************************

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users