Snort mailing list archives
Re: Snort, Barnyard, Mysql
From: Jason Brvenik <jasonb () sourcefire com>
Date: Sat, 15 Oct 2005 22:21:04 -0400
Raymond Owens wrote:
I have several questions relating to the use of Snort, Barnyard and Mysql that hopefully someone can shed some light on. First , I have heard that if Barnyard is run on the same platform that the Snort sensor resides on, there is no performance enhancement because the same box is doing both the sensing and the unified file output parsing. Is this true? If so, what methods are employed to get the unified files to another box?
This is not true. Unified output is much faster than other output methods. Running barnyard on the same single processor system might have some cost associated with the sensing instance but if you are running at those speeds you should have a multiprocessor system for the task any way. Moving the database to a different system is also a good idea if you have high performance needs.
When I imported the snort schema inside the create_mysql file into Mysql v. 5.0.12 it choked on the table 'schema'. When I altered the table name before input to 'scheme' the snort database was created successfully and the database seemed usable, but I assume something will be unhappy at some point with the changed table name. Anyone run into this before?
This is the result of a change in Mysql that made schema a reserved word. You need to surround schema in single ticks EG: 'schema' IIRC
One item in the project I am working on is providing access to sysadms of various subnets access to the Snort alerts pertaining to their subnets while not allowing them to see event information that pertains to subnets they do not control. These sysadms are using snort database access agents which are assuming to be provided a database name of form 'database.*' over which they will have SELECT access to all table to do various types of queries. Has anyone done anything similar and can give me general guidance on how to accomplish this? I assume that a 'view' would need to be created and a 'grant' to individual users which only give access based on the source an destination IP's falling into their domain. Having a little trouble figuring out if these is feasible scheme and what general syntax would look like.
BASE may already be able to help you with this. If not adding the support for user based restrictions on netblocks or sensor instance should not be that hard.
Thanks for any help that can be provided.
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort, Barnyard, Mysql Raymond Owens (Oct 15)
- Re: Snort, Barnyard, Mysql Jason Brvenik (Oct 15)
- Re: Snort, Barnyard, Mysql João Mota (Oct 17)
- Re: Snort, Barnyard, Mysql Jason Brvenik (Oct 15)