Re: v2.8.4 incorrect logging to MySQL

["Danny Paul" <JDPAUL () GoColumbiaMO com>]

Thumbs down. Nay.

I installed barnyard yesterday to overcome the bug and discovered that
my load more than doubled. I don't need the increased complexity of
barnyard and disagree completely with the notion that it is more
efficient to write the alert to disk twice (snort->unified, then
unified->DB) vs once (snort->DB). In an environment where CPUs are fast
and RAM is plentiful but you are I/O bound (which will probably a lot
servers) why would you want to write data more often than necessary? 

Better yet, the DB backend allows you to offload your logging to
another server freeing up more of the sensor's capacity. I simply do not
see the advantage and emplore the snort developers to continue
development of multiple backends.



> > > On 4/14/2009 at 11:08 AM, in message
<1c79c7b70904140908v64967a68uf5048ebedada2ef1 () mail gmail com>,
<cummingsj () gmail com> wrote:
> /me raises hand.. "I"
>
> On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler () sourcefire com>
wrote:
> > Seconded.
> >
> >
> > On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik
<jasonb () sourcefire com>wrote:
> > > Here is my vote to remove all output methods from the engine
except
> > > unified, to remove the code complexity. People are much better off
> > > having two dedicated processes achieving a common goal than they
are
> > > with the code complexity and issues in the one code base.
> > >
> > > On Tue, Apr 14, 2009 at 8:31 AM, James Lay
<jlay () slave-tothe-box net>
> > > wrote:
> > > > ________________________________
> > > > From: Ron Jenkins <rjenkins () rmjcs net>
> > > > Date: Mon, 13 Apr 2009 09:21:09 -0500
> > > > To: 'Joel Esler' <jesler () sourcefire com>
> > > > Cc: James Lay <jlay () slave-tothe-box net>, Snort
> > > > <snort-users () lists sourceforge net>
> > > > Subject: RE: [Snort-users] v2.8.4 incorrect logging to MySQL
> > > >
> > > > We are backing down from v2.8.4 until the new version can
successfully
> > > write
> > > > to the sensor and signature tables correctly.
> > > >
> > > > Until Soucrefire truly removes writing to the MySQL database and
forces
> > > > unified logging we see no reason to change at this time.  Yes the
new
> > > rule
> > > > changes are much wanted, but after reading on the mass issues on
the
> > > snort
> > > > forums with the new version we are holding off on the update.
> > > >
> > > > Thanks
> > > >
> > > >
> > > >
> > > >
> > > > I have to chime in and second this.  Though Unified might be
best, for
> > > > smaller shops, my perception is that barnyard is an added layer
of
> > > > complexity.  I run snort at the house on OS X...pretty much to
catch the
> > > > obvious dumb crap coming in from the outside world and to catch
if the
> > > kids
> > > > machines get something naughty.  Again, larger shops where IDS
is
> > > mission
> > > > critical should take the extra step, but small ones..eh...I’ve
found
> > > that
> > > > logging direct to mysql works well enough.  My 0.02 I guess.
> > > >
> > > > James
------------------------------------------------------------------------------
> > > > This SF.net email is sponsored by:
> > > > High Quality Requirements in a Collaborative Environment.
> > > > Download a free trial of Rational Requirements Composer Now!
> > > > http://p.sf.net/sfu/www-ibm-com 
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net 
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
------------------------------------------------------------------------------
> > > This SF.net email is sponsored by:
> > > High Quality Requirements in a Collaborative Environment.
> > > Download a free trial of Rational Requirements Composer Now!
> > > http://p.sf.net/sfu/www-ibm-com 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net 
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-user

> s>list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> >
> >
> >
> > --
> > joel esler | Sourcefire | gtalk: jesler () sourcefire com |
302-223-5974
> >
------------------------------------------------------------------------------
> > This SF.net email is sponsored by:
> > High Quality Requirements in a Collaborative Environment.
> > Download a free trial of Rational Requirements Composer Now!
> > http://p.sf.net/sfu/www-ibm-com 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net 
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-user

> s>list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>
>
>
> --

** Virus scanned by City of Columbia MO Email Firewall **

------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users