Re: [Snort-sigs] Snort.org Blog: Snort's output methods

[Joel Esler <jesler () sourcefire com>]

Syslog isn't going away.  Too many people and correlation tools use it.    Thanks though.

Joel

On Jun 27, 2011, at 4:41 PM, Steven Sturges wrote:

> Syslog is one of those that is pretty important for a lot of folks.
>
> Though, I wouldn't recommend using a remote syslog for the same
> reasons as using a remote DB....
>
> Cheers.
> -s
>
> On 7/22/64 2:59 PM, L0rd Ch0de1m0rt wrote:
> > I use syslog output exclusively and if it went away I would have to
> > immediately transfer my large infrastructure to Suricata and take my
> > dozen of Soucefire appliances and use half of them for target practice
> > with my AR-15 and Glock .40 and the other half I would build a Beowulf
> > cluster for OISF/EmergingThreats Pro to utilize.  Since Suricata is Open
> > Source, I would take my Sourcefire appliance budget and buy huge solar
> > panels to power the cluster.  Sounds like fun.
> >
> >
> > -L0rd C.
> >
> > On Mon, Jun 27, 2011 at 10:16 AM, Joel Esler <jesler () sourcefire com
> > <mailto:jesler () sourcefire com>> wrote:
> >
> >
> >    http://blog.snort.org/2011/06/snorts-output-methods.html
> >
> >    Snort's output methods
> >
> >    Ever since the beginning of Snort, one of the main concerns was "how
> >    do I get data out of Snort".  Some of the options available have
> >    their advantages and disadvantages.
> >
> >    There's some that aren't used.
> >    There's some that cause Snort to be slow.
> >    There's some that we don't maintain and don't frequently test.
> >    and
> >    There's some that we want to get rid of.
> >
> >    One of those output methods is the "spo_database" module.  Or the
> >    module in Snort that directly inputs data from Snort into a mysql,
> >    postgres, or an Oracle database.  This logging method was written
> >    back in the late 90's by a college student (along with the db schema
> >    and the interface ACID) as a project for his thesis.
> >
> >    It hasn't been very well maintained since then.  In fact, we don't
> >    test against it, and we don't recommend it for use.  It makes Snort,
> >    which is a high-speed data processor, have to stop doing what it's
> >    doing (being an IPS), and insert data into the database.  While
> >    Snort is inserting into the database, this stops inspection waiting
> >    for the database connection.
> >
> >    So we are going to remove it.
> >
> >    In order to provide the type of functionality we'd like to provide
> >    with Snort in the next few releases (more data for you!), we needed
> >    someone to take over the maintenance of the db schema that is
> >    shipped with Snort as well.   As a result of the discussion on the
> >    Snort-devel list, the team members over at the barnyard2 project
> >    have agreed to take over the maintenance of these schemas.
> >
> >    At this point I'd like to hear from the community as well.  So
> >    please leave comments.
> >
> >    What output plugins do you use?
> >    Will you be affected by this change (we hope a lot of you aren't
> >    using the spo_database method)?
> >    What other output plugins do you think we can "show the door"?
> >
> >    Please leave comments at the above link.
> >
> >    Thanks.
> >
> >    Joel Esler
> >    OpenSource Community Manager
> >    ------------------------------------------------------------------------------
> >    All of the data generated in your IT infrastructure is seriously
> >    valuable.
> >    Why? It contains a definitive record of application performance,
> >    security
> >    threats, fraudulent activity, and more. Splunk takes this data and makes
> >    sense of it. IT sense. And common sense.
> >    http://p.sf.net/sfu/splunk-d2d-c2
> >    _______________________________________________
> >    Snort-devel mailing list
> >    Snort-devel () lists sourceforge net
> >    <mailto:Snort-devel () lists sourceforge net>
> >    https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel