Wednesday, July 18, 2012

Database output is dead. R.I.P.

Last June (2011) we gave you a heads up (and several reminders since) that in Snort 2.9.3.0, we were going to remove the spo_database output module as well as Aruba and Prelude outputs.

For those of you that originally compiled Snort like: ./configure --enable-mysql

Or, if you look in your snort.conf and your "output" lines look like this:
output database: alert
AND/OR
output database: log


this will affect YOU.

Our recommendation is that after you upgrade to Snort 2.9.3.0, you move to full unified2 logging and use barnyard2 to read those unified2 files and input them into your mysql database.

You can find more information about barnyard2 here:
https://github.com/firnsy/barnyard2
http://www.securixlive.com/barnyard2/

As always questions can be asked on the Snort Mailing Lists!  Thank you!