Re: Homebrew unified2 processing vs barnyard2

[K D <korodev () gmail com>]

True, I suppose I'm wondering if barnyard2's performance leaves much to be
desired in the snort community. I haven't seen any major complaints, and
would imagine it's not the source of any major bottlenecks (as opposed to
the actual database). I'd be interested to see what the Sguil guys would
have to say about their experience and decisions regarding barnyard2 for
their project.

Though I plan to stick with Postgresql for now, has there been any thought
or research in NSM events (snort, sancp, etc) being stored in the trendier
schema-less databases or a hybrid unified2 flat file and rdbms setup?

\\korodev


On Mon, Jul 19, 2010 at 1:35 PM, beenph <beenph () gmail com> wrote:

> I personally guess that it depends on your needs and the time you have
> to put on your own stuff.
> If your previous script was parsing unified files, i would probably be
> able to parse unified2 after a few modifications.
>
> -elz
>
>
> On Mon, Jul 19, 2010 at 2:24 PM, K D <korodev () gmail com> wrote:
> > Having spent a good amount of time away from snort and trying to get back
> > into the swing of things, I was wondering what the current consensus was
> on
> > barnyard vs homebrew unified2 parsing. Previously, I was doing unified
> > parsing via a homebrew application, but looking forward, it seems like
> > barnyard2 is the popular, stable, and standard app for the job. Anyone
> > willing to persuade me otherwise?
> > Also, are you guys using any perl or python (preferred) libraries for
> > unified2 file access? If so, what role do these play in your current
> > configuration and how are they used in conjunction with or instead of
> > barnyard?
> > \\korodev
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by Sprint
> > What will you do first with EVO, the first 4G phone?
> > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users