Snort mailing list archives
Re: Snort output redirection buffered
From: Chris Green <cmg () sourcefire com>
Date: Mon, 19 May 2003 14:25:55 -0400
JP Vossen <vossenjp () netaxs com> writes:
It seems like Snort output is buffered quite a bit. When running version 2.0.0 (Build 72) on Red Hat 8.0 2.4.18-27.8.0 as follows, the traffic is very bursty: snort -vdCqi eth1 udp port 514 | SomeScript.pl snort -vdCqi eth1 udp port 514 | tee somefile It seems like there is a buffer of between about 1500 - 2000 bytes. Does that make sense or is there someone else I'm missing? Any way to turn it off w/o patching the source?
Nope.
If no, how hard would it be to patch the source (assume I know almost nothing about C :-)?
Add a fflush(stdout) to snort.c case MODE_PACKET_LOG: CallLogPlugins(&p, NULL, NULL, NULL); fflush(stdout); -- Chris Green <cmg () sourcefire com> Chicken's thinkin' ------------------------------------------------------- This SF.net email is sponsored by: If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort output redirection buffered JP Vossen (May 19)
- Re: Snort output redirection buffered Chris Green (May 19)