Snort mailing list archives

Re: Load snort alert to database without barnyard2

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Tue, 21 Feb 2017 04:07:18 +0100

On Tue, Feb 21, 2017 at 3:59 AM, <wkitty42 () windstream net> wrote:

On 02/20/2017 02:26 PM, Paul Li wrote:

My use cases of Snort don't generate u2 log files very time: some time it
generates .log log files. But I still need load all the alerts to

database.

Looks like after Snort 2.9.3, the database plugin is removed. Wondering

is there

any other ways to load alerts to database without using Barnyard2?


you could use https://github.com/jasonish/py-idstools to convert unified2
to json on-the-fly and write into e.g. mongodb

Marcin

without using barnyard2? no... not that *i'm* aware of... you could write
your
own U2 parser and use that to populate your database... see? here's the
thing...
the reason that the snort direct database thing was abandoned was because
if
there was a problem reaching the database or writing to it, snort would
hang and
miss processing traffic... by getting rid of that task, snort has more
time to
monitor and analyze the network traffic... it can write to the U2 log as
long as
t wants to... then it is up to another tool, like barnyard2 or your own
concoction, to handle the reading of the U2 and importing it into the
database
in its own time... all without stopping snort...

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Load snort alert to database without barnyard2 Paul Li (Feb 20)
- Re: Load snort alert to database without barnyard2 wkitty42 (Feb 20)
  - Re: Load snort alert to database without barnyard2 Marcin Dulak (Feb 20)