Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: central logging and buffering

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 22 May 2003 23:07:29 +1200
I think a lot of people have missed a point made by the original poster. If you have multiple IDS systems, and try to have them logging to any central SQL server, then you have a problem with a link outage occurs.
Snorts SQL schema (I'm getting out of my depth here - so no flaming - be gentle!) obviously creates situations where IDS-1 wants to create a new alert type - which involves updating a table so that "name" => next_sid. If IDS-1 has lost access to the central server, then it can't do that operation (whether directly or by replication), and so the next 100 alerts coming in about that alert type can't be finished (started?) until the central server is available again.
I've run MySQL in simple master-slave mode with two SQL servers - and it worked 100%. I have no idea what could handle the n-master model needed in this situation... (i.e. every slave server needs to be able to update the central server, and every slave server has to listen to the changes made on the central server)
That's why if you check the archives, I've previously asked if anyone had written some post-parser that could take the SQL databases from 'n' systems, and massage them all together into one big meta-database. e.g just so you can do a one-off monthly summary for upper management. I have even tried doing it myself. It's doable, but quite a bit of work (I've put it on the backburner).
Someone would make a lot of people happy if they could manage it. Currently I'm relying on alerting to local SQL AND syslog - and the syslog is centralized. That doesn't have any of the complexities of SQL and works well - you just don't get the packet dumps basically. 

Jason

PS: How does Sourcefire handle this with their commercial system?



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: