I dunno if it's a new feature request.... Marty's excellent new "barnyard"
output system might achieve this already, and if not it will make building
this in easy. Have you looked at the cvs code?

--dr

On Mon, 02 Jul 2001, Kevin Brown wrote:
> I was wondering how hard it might be to implement something within snort as
> part of the logging features. The snort box that I run here connects to a
> remote database to log alerts. The problem is that for various reasons
> (firewall crashing, servers being rebooted, etc...) snort looses connection
> with the SQL db and then the snort process dies. A possible feature that
> could be useful for others who might be in a similar situation would be some
> way to cache the inserts until such a time as the server comes back online
> and then the data could be sent. This would be good as there wouldn't be a
> repeat of what happened this last week when I went on vacation and no one
> else checked on the snort box after the firewall locked up (the firewall
> sits between our 6 servers and the rest of the world, the snort box is out
> near the edge of the network).
>
> Begin Geek Code;
> $_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;t=map{$_%16or$t^=$c
> ^=(
> $m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72,z=(64,72,$a^=12*($_%
> 16
> -2?0:$m&17)),$b^=$_%64?12:0,z)[$_%8]}(16..271);if((a=unx"C*",$_)[20]&48){$
> h
> =5;$_=unxb24,join"",b=map{xB8,unxb8,chr($_^$a[--$h+84])}ARGV;s/...$/1$&/;$
> d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
> $d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
> (($h>>=8)+=$f+(~$g&$t))fora[128..$#a]}print+x"C*",a}';s/x/pack+/g;eval
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Dragos Ruiu <drdursec.com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]