Network Security: Detailed info on Re: [Snort-users] data from multiple sessions in one alert/packet

Subject:	Re: [Snort-users] data from multiple sessions in one alert/packet
Date:	Thu, 18 May 2006 18:50:04 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Snort has to eat alot of cycles to input stuff into the DB, while it is doing that, it's not sniffing as efficiently as it should.

Snort should output to either one of two things A) pcap binary, or B) Unified binary. Preferred method recommended from me is always going to be Unified, have barnyard read that unified file and input stuff into the db.

A.k.a. Don't have your IDS inserting into a DB, let your IDS be an IDS, let barnyard insert into DB.

Joel


On May 18, 2006, at 6:11 PM, Jon Hart wrote:

On Thu, May 18, 2006 at 02:07:08PM -0400, Joel Esler wrote:
Jon,
What type of output module are you using?
Joel
I'm using the database output plugin.  I know that can be a problem
under high load, right?  Is that high alert load or just high pps load
in general?  My signatures are fairly tight so we get maybe 10-20
hits/hour, though occassionally we'll get a peak when someone scans us
for something.
I had been using barnyard, but dumped it while attempting to debug
another problem.  If barnyard will help here, I'll do that again.
-jon
------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel? cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --Joel
joel.esler@sourcefire.com
http://demo.sourcefire.com/jesler.pgp.key

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEbPofKbCSyXHckt4RAsceAKCgg0NvhHpnBIf/PCKRmwjgNtQJxwCePVKP
pegK9KgRwd3Nljeot0c1iHA=
=jqXA
-----END PGP SIGNATURE-----


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] data from multiple sessions in one alert/packet, Jon Hart Re: [Snort-users] data from multiple sessions in one alert/packet, nikns Re: [Snort-users] data from multiple sessions in one alert/packet, Jon Hart Re: [Snort-users] data from multiple sessions in one alert/packet, Joel Esler [Snort-users] Alert Suppresion Fail, kritikus Araklidas Re: [Snort-users] Alert Suppresion Fail, Joel Esler [Snort-users] Mail Notification Fail, kritikus Araklidas Re: [Snort-users] data from multiple sessions in one alert/packet, Jon Hart Re: [Snort-users] data from multiple sessions in one alert/packet, Joel Esler <=

Previous by Date:	Re: [Snort-users] Alert Suppresion Fail, Joel Esler
Next by Date:	Re: [Snort-users] (no subject), Joel Esler
Previous by Thread:	Re: [Snort-users] data from multiple sessions in one alert/packet, Jon Hart
Next by Thread:	[Snort-users] mail, Lomov Pavel
Indexes:	[Date] [Thread] [Top] [All Lists]