Snort mailing list archives
Re: v2.8.4 incorrect logging to MySQL
From: "Danny Paul" <JDPAUL () GoColumbiaMO com>
Date: Tue, 14 Apr 2009 11:34:11 -0500
Thumbs down. Nay. I installed barnyard yesterday to overcome the bug and discovered that my load more than doubled. I don't need the increased complexity of barnyard and disagree completely with the notion that it is more efficient to write the alert to disk twice (snort->unified, then unified->DB) vs once (snort->DB). In an environment where CPUs are fast and RAM is plentiful but you are I/O bound (which will probably a lot servers) why would you want to write data more often than necessary? Better yet, the DB backend allows you to offload your logging to another server freeing up more of the sensor's capacity. I simply do not see the advantage and emplore the snort developers to continue development of multiple backends.
On 4/14/2009 at 11:08 AM, in message
<1c79c7b70904140908v64967a68uf5048ebedada2ef1 () mail gmail com>, <cummingsj () gmail com> wrote:
/me raises hand.. "I" On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler () sourcefire com>
wrote:
Seconded. On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik
<jasonb () sourcefire com>wrote:
Here is my vote to remove all output methods from the engine
except
unified, to remove the code complexity. People are much better off having two dedicated processes achieving a common goal than they
are
with the code complexity and issues in the one code base. On Tue, Apr 14, 2009 at 8:31 AM, James Lay
<jlay () slave-tothe-box net>
wrote:________________________________ From: Ron Jenkins <rjenkins () rmjcs net> Date: Mon, 13 Apr 2009 09:21:09 -0500 To: 'Joel Esler' <jesler () sourcefire com> Cc: James Lay <jlay () slave-tothe-box net>, Snort <snort-users () lists sourceforge net> Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL We are backing down from v2.8.4 until the new version can
successfully
writeto the sensor and signature tables correctly. Until Soucrefire truly removes writing to the MySQL database and
forces
unified logging we see no reason to change at this time. Yes the
new
rulechanges are much wanted, but after reading on the mass issues on
the
snortforums with the new version we are holding off on the update. Thanks I have to chime in and second this. Though Unified might be
best, for
smaller shops, my perception is that barnyard is an added layer
of
complexity. I run snort at the house on OS X...pretty much to
catch the
obvious dumb crap coming in from the outside world and to catch
if the
kidsmachines get something naughty. Again, larger shops where IDS
is
missioncritical should take the extra step, but small ones..eh...I’ve
found
thatlogging direct to mysql works well enough. My 0.02 I guess. James
------------------------------------------------------------------------------
This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-user
s>list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com |
302-223-5974
------------------------------------------------------------------------------
This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-user
s>list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users--
** Virus scanned by City of Columbia MO Email Firewall ** ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: view alerts in base, (continued)
- Re: view alerts in base Leon Ward (Apr 22)
- Re: view alerts in base Randal T. Rioux (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Seth Art (Apr 22)
- Re: view alerts in base Joel Esler (Apr 22)
- Re: view alerts in base Ryan Jordan (Apr 22)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL JJ Cummings (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Jason Brvenik (Apr 14)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 14)