Snort mailing list archives

Re: v2.8.4 incorrect logging to MySQL

From: "Randal T. Rioux" <randy () procyonlabs com>
Date: Tue, 14 Apr 2009 16:14:24 -0400 (EDT)

I've brought up the issue many times here. I started to develop my own
version when Firnsy over at Securix let me know their intentions. I left
the issue because it looked like they had a good thing (and still do).

http://www.securixlive.com/barnyard2/index.php

I'm still working on a different type of replacement that supports more
databases. There's a few things in front of the que right now, but I'd
like to have something done by summer.

I just don't like the idea of a product/company saying "only use this
module" when that module is abandoned. If you truly are removing direct DB
output, then dedicate a resource or two to a "supported" output parser for
unified2 (which is what I'm focused on).

Randy


On Tue, April 14, 2009 1:15 pm, Joel Esler wrote:

After talking with Jason, I am going to try and put some bandwidth into
testing barnyard2.  See if it comes up for any of the short falls that
barnyard1 had. Are any of the barnyard2 developers on this list?

J

On Tue, Apr 14, 2009 at 12:54 PM, Jason Wallace
<jason.r.wallace () gmail com>wrote:

I'll bite...

I'd throw in a vote for this too, but out of curiosity... why unified
over unified2?

Either way, before you could do that there would have to be an
"official" tool to read the binary file and output it to other formats.
By official I mean something supported, documented (right on the snort
web site), and, maintained so we know it will be there tomorrow and
doesn't fade off into nothing like barnyard.

Right now there are 3 options:

Barnyard: http://www.snort.org/dl/barnyard/ - Works with unified but
not unified2 - abandon ware - DB connection issues

Barnyard2: http://www.securixlive.com/barnyard2/index.php - Works with
unified and unified2 - I have seen the same DB connection issues as
with barnyard

SnortUnified.pm: http://code.google.com/p/snort-unified-perl/ - Works
but not very well documented (no disrespect meant Jason) - Not sure
about the DB connection issue. I have tried to use this a couple of
times, I'm not the best with perl so the lack of doc's left me
scratching my head.

I wouldn't call any of these official. Recommended, but not official.

Wally

On Tue, Apr 14, 2009 at 12:08 PM, JJ Cummings <cummingsj () gmail com>
wrote:

/me raises hand.. "I"

On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler () sourcefire com>

wrote:


Seconded.

On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik

<jasonb () sourcefire com>

wrote:


Here is my vote to remove all output methods from the engine
except unified, to remove the code complexity. People are much
better off having two dedicated processes achieving a common goal
than they are with the code complexity and issues in the one code
base.

On Tue, Apr 14, 2009 at 8:31 AM, James Lay

<jlay () slave-tothe-box net>

wrote:




________________________________ From: Ron Jenkins
<rjenkins () rmjcs net> Date: Mon, 13 Apr 2009 09:21:09 -0500 To:
'Joel Esler' <jesler () sourcefire com> Cc: James Lay
<jlay () slave-tothe-box net>, Snort
<snort-users () lists sourceforge net> Subject: RE: [Snort-users]
v2.8.4 incorrect logging to MySQL

We are backing down from v2.8.4 until the new version can

successfully

write to the sensor and signature tables correctly.

Until Soucrefire truly removes writing to the MySQL database
and

forces

unified logging we see no reason to change at this time.  Yes
the

new

rule changes are much wanted, but after reading on the mass
issues on

the

snort forums with the new version we are holding off on the
update.

Thanks




I have to chime in and second this.  Though Unified might be
best,

for

smaller shops, my perception is that barnyard is an added layer
of complexity.  I run snort at the house on OS X...pretty much
to

catch

the obvious dumb crap coming in from the outside world and to
catch if

the

kids machines get something naughty.  Again, larger shops where
IDS is mission critical should take the extra step, but small
ones..eh...Ive

found

that logging direct to mysql works well enough.  My 0.02 I
guess.

James

-----------------------------------------------------------------------
-------

This SF.net email is sponsored by: High Quality Requirements in
a Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users
mailing list Snort-users () lists sourceforge net Go to this URL
to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----------------------------------------------------------------------
-------

This SF.net email is sponsored by: High Quality Requirements in a
Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users
mailing list Snort-users () lists sourceforge net Go to this URL to
change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- joel esler | Sourcefire | gtalk: jesler () sourcefire com |
302-223-5974

-----------------------------------------------------------------------
-------

This SF.net email is sponsored by: High Quality Requirements in a
Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change
user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--

-----------------------------------------------------------------------
-------

This SF.net email is sponsored by: High Quality Requirements in a
Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-----------------------------------------------------------------------
------- This SF.net email is sponsored by: High Quality Requirements in
a Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
-------------------------------------------------------------------------
----- This SF.net email is sponsored by: High Quality Requirements in a
Collaborative Environment. Download a free trial of Rational Requirements
Composer Now!
http://p.sf.net/sfu/www-ibm-com__________________________________________
_____ Snort-users mailing list Snort-users () lists sourceforge net Go to
this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: v2.8.4 incorrect logging to MySQL, (continued)
- - - Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL JJ Cummings (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jason Wallace (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Paul Schmehl (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jason Wallace (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Randal T. Rioux (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Leon Ward (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jack Pepper (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Loyal A Moses (Apr 14)
  - Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Loyal A Moses (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Jefferson, Shawn (Apr 14)
    - Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 14)

(Thread continues...)