Snort mailing list archives
Re: Alerting unified or (fast) ASCII?
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Wed, 20 Oct 2004 18:11:41 +0200
Matt, Matt Kettler wrote:
At 09:50 AM 10/20/2004, Edin Dizdarevic wrote:
...
Unified will allow snort to handle a significantly larger load, as most of the data is written out in the raw binary format it appears in the IP packet. ASCII mode logging reuqires some additional translation.
Allright, I assumed that isn't really that much work to do. Obviously the effort is far not negliable. :(
After all a second by instance for alerting (besides logging) is needed.Ahhh, but here's where you're missing something. The fact that barnyard is used does not speed up long it takes to get alerts written into a textual format. However, it removes the ascii conversion from snort's time-critical packet capture process. This greatly reduces packet drop rate.
Yes, but it consumes system ressources, memory and cpu cycles. Especially if more than one alert has been triggered by will try to process the previous entry during the same time another alert may occur. I'm not that good in programming but by's file access should be non-blocking otherwise it may hinder Snort. I suppose that is anyway the case.
The overall CPU consumption is the same, but the time-critical path is much shorter in the unified/barnyard case.
Good to know. I already thought the effort writing start scripts for two by instances has been useles ;). On the other side I experienced no packet at all drops the on the 100Mbit line since (in spite of Arkeia). Regards, Edin -- Edin Dizdarevic ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerting unified or (fast) ASCII? Edin Dizdarevic (Oct 20)
- Re: Alerting unified or (fast) ASCII? Matt Kettler (Oct 20)
- Re: Alerting unified or (fast) ASCII? Edin Dizdarevic (Oct 20)
- Re: Alerting unified or (fast) ASCII? Matt Kettler (Oct 20)
- Re: Alerting unified or (fast) ASCII? Edin Dizdarevic (Oct 20)
- Re: Alerting unified or (fast) ASCII? Matt Kettler (Oct 20)