Snort mailing list archives
Re: v2.8.4 incorrect logging to MySQL
From: Jason Brvenik <jasonb () sourcefire com>
Date: Tue, 14 Apr 2009 14:03:33 -0400
It sounds to me like some general education is needed. The latency between unified to DB is nothing that can be perceived by humans, if it is then the latency between engine and DB is going to be critical to performance of the engine itself. What is a use case that even a second delay (not the typical Milli Second) would have an impact? On Tue, Apr 14, 2009 at 1:37 PM, Jack Pepper <pepperjack () afferentsecurity com> wrote:
I disagree vehemently. I like the flexibility (warts and all) that comes with the current model. It's true that high flexibility leads to high complexity which invariably leads to maintenance challenges. No argument there. but to take away the flexibility and adaptability would damage the snort product. Unified is good enough for reporting and charts, and all that blah blah blah. but if you really want to build a security device around the snort detect engine, unified is too weak for real time response and analysis. the unified model carries too much latency for real time processing. the alternative to complexity is to choose either a limited, dumbed down product or a closed source product. Both models (static deployability model and closed source model) have demonstrably failed to keep pace with the ingenuity and skill of our common adversary. simple tools suck. jp Quoting JJ Cummings <cummingsj () gmail com>:/me raises hand.. "I" On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler () sourcefire com> wrote:Seconded. On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik <jasonb () sourcefire com>wrote:Here is my vote to remove all output methods from the engine except unified, to remove the code complexity. People are much better off having two dedicated processes achieving a common goal than they are with the code complexity and issues in the one code base. On Tue, Apr 14, 2009 at 8:31 AM, James Lay <jlay () slave-tothe-box net> wrote:________________________________ From: Ron Jenkins <rjenkins () rmjcs net> Date: Mon, 13 Apr 2009 09:21:09 -0500 To: 'Joel Esler' <jesler () sourcefire com> Cc: James Lay <jlay () slave-tothe-box net>, Snort <snort-users () lists sourceforge net> Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL We are backing down from v2.8.4 until the new version can successfullywriteto the sensor and signature tables correctly. Until Soucrefire truly removes writing to the MySQL database and forces unified logging we see no reason to change at this time. Yes the newrulechanges are much wanted, but after reading on the mass issues on thesnortforums with the new version we are holding off on the update. Thanks I have to chime in and second this. Though Unified might be best, for smaller shops, my perception is that barnyard is an added layer of complexity. I run snort at the house on OS X...pretty much to catch the obvious dumb crap coming in from the outside world and to catch if thekidsmachines get something naughty. Again, larger shops where IDS ismissioncritical should take the extra step, but small ones..eh...I?ve foundthatlogging direct to mysql works well enough. My 0.02 I guess. James------------------------------------------------------------------------------This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users---- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: v2.8.4 incorrect logging to MySQL, (continued)
- Re: v2.8.4 incorrect logging to MySQL Jason Wallace (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Paul Schmehl (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jason Wallace (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Randal T. Rioux (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Leon Ward (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jack Pepper (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Loyal A Moses (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jefferson, Shawn (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Loyal A Moses (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Randal T. Rioux (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Martin Roesch (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Loyal A Moses (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Martin Roesch (Apr 14)