Re: v2.8.4 incorrect logging to MySQL

[Jason Brvenik <jasonb () sourcefire com>]

It sounds to me like some general education is needed. The latency
between unified to DB is nothing that can be perceived by humans, if
it is then the latency between engine and DB is going to be critical
to performance of the engine itself.

What is a use case that even a second delay (not the typical Milli
Second) would have an impact?

On Tue, Apr 14, 2009 at 1:37 PM, Jack Pepper
<pepperjack () afferentsecurity com> wrote:
> I disagree vehemently.  I like the flexibility (warts and all) that
> comes with the current model.  It's true that high flexibility leads
> to high complexity which invariably leads to maintenance challenges.
> No argument there.
>
> but to take away the flexibility and adaptability would damage the
> snort product.
>
> Unified is good enough for reporting and charts, and all that blah
> blah blah.  but if you really want to build a security device around
> the snort detect engine, unified is too weak for real time response
> and analysis.  the unified model carries too much latency for real
> time processing.
>
> the alternative to complexity is to choose either a limited, dumbed
> down product or a closed source product.  Both models (static
> deployability model and closed source model) have demonstrably failed
> to keep pace with the ingenuity and skill of our common adversary.
> simple tools suck.
>
> jp
>
> Quoting JJ Cummings <cummingsj () gmail com>:
>
> > /me raises hand.. "I"
> >
> > On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler () sourcefire com> wrote:
> >
> > > Seconded.
> > >
> > >
> > > On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik
> > > <jasonb () sourcefire com>wrote:
> > >
> > > > Here is my vote to remove all output methods from the engine except
> > > > unified, to remove the code complexity. People are much better off
> > > > having two dedicated processes achieving a common goal than they are
> > > > with the code complexity and issues in the one code base.
> > > >
> > > > On Tue, Apr 14, 2009 at 8:31 AM, James Lay <jlay () slave-tothe-box net>
> > > > wrote:
> > > > > ________________________________
> > > > > From: Ron Jenkins <rjenkins () rmjcs net>
> > > > > Date: Mon, 13 Apr 2009 09:21:09 -0500
> > > > > To: 'Joel Esler' <jesler () sourcefire com>
> > > > > Cc: James Lay <jlay () slave-tothe-box net>, Snort
> > > > > <snort-users () lists sourceforge net>
> > > > > Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL
> > > > >
> > > > > We are backing down from v2.8.4 until the new version can successfully
> > > > write
> > > > > to the sensor and signature tables correctly.
> > > > >
> > > > > Until Soucrefire truly removes writing to the MySQL database and forces
> > > > > unified logging we see no reason to change at this time.  Yes the new
> > > > rule
> > > > > changes are much wanted, but after reading on the mass issues on the
> > > > snort
> > > > > forums with the new version we are holding off on the update.
> > > > >
> > > > > Thanks
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > I have to chime in and second this.  Though Unified might be best, for
> > > > > smaller shops, my perception is that barnyard is an added layer of
> > > > > complexity.  I run snort at the house on OS X...pretty much to catch the
> > > > > obvious dumb crap coming in from the outside world and to catch if the
> > > > kids
> > > > > machines get something naughty.  Again, larger shops where IDS is
> > > > mission
> > > > > critical should take the extra step, but small ones..eh...I?ve found
> > > > that
> > > > > logging direct to mysql works well enough.  My 0.02 I guess.
> > > > >
> > > > > James
> > > > ------------------------------------------------------------------------------
> > > > > This SF.net email is sponsored by:
> > > > > High Quality Requirements in a Collaborative Environment.
> > > > > Download a free trial of Rational Requirements Composer Now!
> > > > > http://p.sf.net/sfu/www-ibm-com
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > This SF.net email is sponsored by:
> > > > High Quality Requirements in a Collaborative Environment.
> > > > Download a free trial of Rational Requirements Composer Now!
> > > > http://p.sf.net/sfu/www-ibm-com
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list
> > > > archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > > --
> > > joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > This SF.net email is sponsored by:
> > > High Quality Requirements in a Collaborative Environment.
> > > Download a free trial of Rational Requirements Composer Now!
> > > http://p.sf.net/sfu/www-ibm-com
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list
> > > archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > --
>
> --
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users