Caching behavior for alert_unified2 only
6 views
Skip to first unread message
hojo
Apr 22, 2014, 10:46:14 AM4/22/14
to barnyar...@googlegroups.com
I made the changes that will ignore the packet and just insert events into the database. The spooler cache, behavior is what I need to deal with next.
When the first event is seen, the cache is empty. This chuck of code looks at the cache and, seeing no header, skips the output plugin. The event is cached after that. Subsequent events are then processed and the output plugin is called on the previously cached event.
if ( spoolerEventCacheHeadUsed(spooler) == 0 )
{
/* call output plugins with an "ALERT" format (cached Event information only) */
DEBUG_WRAP(DebugMessage(DEBUG_SPOOLER,"Firing ALERT style (Event only)\n"););
ernCache = spoolerEventCacheGetHead(spooler);
if (fire_output)
CallOutputPlugins(OUTPUT_TYPE__ALERT,
NULL,
ernCache->data,
ernCache->type);
/* flush the event cache flag */
ernCache->used = 1;
}
/* cache new data */
spoolerEventCachePush(spooler, type, spooler->record.data);
spooler->record.data = NULL;
/* waldo operations occur after the output plugins are called */
if (fire_output)
spoolerWriteWaldo(&barnyard2_conf->waldo, spooler);
I would prefer to have each event just dumped to the database as it's read from the snort.log. It would seem that I could skip caching all together though I'm not sure the best way or what else that might break. Any advice?
beenph
Apr 24, 2014, 6:22:56 AM4/24/14
to barnyar...@googlegroups.com
On Tue, Apr 22, 2014 at 10:46 AM, hojo <dhaj...@gmail.com> wrote:
> I made the changes that will ignore the packet and just insert events into
> the database. The spooler cache, behavior is what I need to deal with next.
> I made the changes that will ignore the packet and just insert events into
> the database. The spooler cache, behavior is what I need to deal with next.
> I would prefer to have each event just dumped to the database as it's read
> from the snort.log. It would seem that I could skip caching all together
> though I'm not sure the best way or what else that might break. Any advice?
>
Since you are focussing on bypassing caching and only logging u2_alert
> from the snort.log. It would seem that I could skip caching all together
> though I'm not sure the best way or what else that might break. Any advice?
>
then you do not need to bother about caching and matching packets with events
header so you can disable the spooler event caching without mutch consequence,
unless you hope to also support u2_log and unified2.
-elz
Reply all
Reply to author
Forward
0 new messages