Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: v2.8.4 incorrect logging to MySQL

From: Jason Brvenik <jasonb () sourcefire com>
Date: Tue, 14 Apr 2009 17:14:36 -0400
I'd like to clarify, Sourcefire is not saying only use barnyard and
ditch the rest, I am expressing my opinion that snort should only
support one fast output method and that output should be parsed into
whatever other things are desired as a separate process. I see a lot
of good coming from it.

I agree with the sentiment that another supported tool / method /
approach should be made in place of removing that functionality from
the detection engine itself.

Clearly there are people that rely on direct DB write from the engine,
that is fine. While the discussion is being had about output methods
please express why direct output is critical in the face of that
output having limitations on the effectiveness of the engine and
suitable alternatives existing.

I would love to hear the problems being solved by direct DB output and
see a discussion about alternative ways to meet those needs. I would
also like to see the engine focus on detection and have as little
focus as possible on non-detection related activities.

On Tue, Apr 14, 2009 at 4:14 PM, Randal T. Rioux <randy () procyonlabs com> wrote:

I've brought up the issue many times here. I started to develop my own
version when Firnsy over at Securix let me know their intentions. I left
the issue because it looked like they had a good thing (and still do).

http://www.securixlive.com/barnyard2/index.php

I'm still working on a different type of replacement that supports more
databases. There's a few things in front of the que right now, but I'd
like to have something done by summer.

I just don't like the idea of a product/company saying "only use this
module" when that module is abandoned. If you truly are removing direct DB
output, then dedicate a resource or two to a "supported" output parser for
unified2 (which is what I'm focused on).

Randy


On Tue, April 14, 2009 1:15 pm, Joel Esler wrote:

After talking with Jason, I am going to try and put some bandwidth into
testing barnyard2.  See if it comes up for any of the short falls that
barnyard1 had. Are any of the barnyard2 developers on this list?

J

On Tue, Apr 14, 2009 at 12:54 PM, Jason Wallace
<jason.r.wallace () gmail com>wrote:


I'll bite...

I'd throw in a vote for this too, but out of curiosity... why unified
over unified2?

Either way, before you could do that there would have to be an
"official" tool to read the binary file and output it to other formats.
By official I mean something supported, documented (right on the snort
web site), and, maintained so we know it will be there tomorrow and
doesn't fade off into nothing like barnyard.

Right now there are 3 options:

Barnyard: http://www.snort.org/dl/barnyard/ - Works with unified but
not unified2 - abandon ware - DB connection issues

Barnyard2: http://www.securixlive.com/barnyard2/index.php - Works with
unified and unified2 - I have seen the same DB connection issues as
with barnyard

SnortUnified.pm: http://code.google.com/p/snort-unified-perl/ - Works
but not very well documented (no disrespect meant Jason) - Not sure
about the DB connection issue. I have tried to use this a couple of
times, I'm not the best with perl so the lack of doc's left me
scratching my head.

I wouldn't call any of these official. Recommended, but not official.

Wally

On Tue, Apr 14, 2009 at 12:08 PM, JJ Cummings <cummingsj () gmail com>
wrote:

/me raises hand.. "I"

On Tue, Apr 14, 2009 at 9:56 AM, Joel Esler <jesler () sourcefire com>

wrote:


Seconded.

On Tue, Apr 14, 2009 at 11:38 AM, Jason Brvenik

<jasonb () sourcefire com>

wrote:


Here is my vote to remove all output methods from the engine
except unified, to remove the code complexity. People are much
better off having two dedicated processes achieving a common goal
than they are with the code complexity and issues in the one code
base.

On Tue, Apr 14, 2009 at 8:31 AM, James Lay

<jlay () slave-tothe-box net>

wrote:




________________________________ From: Ron Jenkins
<rjenkins () rmjcs net> Date: Mon, 13 Apr 2009 09:21:09 -0500 To:
'Joel Esler' <jesler () sourcefire com> Cc: James Lay
<jlay () slave-tothe-box net>, Snort
<snort-users () lists sourceforge net> Subject: RE: [Snort-users]
v2.8.4 incorrect logging to MySQL

We are backing down from v2.8.4 until the new version can

successfully

write to the sensor and signature tables correctly.

Until Soucrefire truly removes writing to the MySQL database
and

forces

unified logging we see no reason to change at this time.  Yes
the

new

rule changes are much wanted, but after reading on the mass
issues on

the

snort forums with the new version we are holding off on the
update.

Thanks




I have to chime in and second this.  Though Unified might be
best,

for

smaller shops, my perception is that barnyard is an added layer
of complexity.  I run snort at the house on OS X...pretty much
to

catch

the obvious dumb crap coming in from the outside world and to
catch if

the

kids machines get something naughty.  Again, larger shops where
IDS is mission critical should take the extra step, but small
ones..eh...I’ve

found

that logging direct to mysql works well enough.  My 0.02 I
guess.

James




-----------------------------------------------------------------------
-------

This SF.net email is sponsored by: High Quality Requirements in
a Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users
mailing list Snort-users () lists sourceforge net Go to this URL
to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-----------------------------------------------------------------------
-------

This SF.net email is sponsored by: High Quality Requirements in a
Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users
mailing list Snort-users () lists sourceforge net Go to this URL to
change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- joel esler | Sourcefire | gtalk: jesler () sourcefire com |
302-223-5974




-----------------------------------------------------------------------
-------

This SF.net email is sponsored by: High Quality Requirements in a
Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change
user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--




-----------------------------------------------------------------------
-------

This SF.net email is sponsored by: High Quality Requirements in a
Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-----------------------------------------------------------------------
------- This SF.net email is sponsored by: High Quality Requirements in
a Collaborative Environment. Download a free trial of Rational
Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Snort-users mailing
list Snort-users () lists sourceforge net Go to this URL to change user
options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974
-------------------------------------------------------------------------
----- This SF.net email is sponsored by: High Quality Requirements in a
Collaborative Environment. Download a free trial of Rational Requirements
Composer Now!
http://p.sf.net/sfu/www-ibm-com__________________________________________
_____ Snort-users mailing list Snort-users () lists sourceforge net Go to
this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: