Re: Upgrading from Snort v2.3.2 to 2.8.3.1

[Joel Esler <eslerj () gmail com>]

On Dec 9, 2008, at 9:59 PM, Ian Masters allegedly wrote:

> > Ian, I suggest that you output to unified.  Then use a third party  
> > tool,
> > like Barnyard or SnortUnified.pm to parse the Unified file and insert
> > into the db.  Inserting into the DB directly from Snort, is bad.
>
> Can you tell me why it is "bad"? That is the way our system was set  
> up a
> few years ago. There haven't been any problems that I'm aware of.
>
> If it would be better to do as you suggest, I'll need to do that on a
> test system first.
>
> That might take quite some time.

Snort is single threaded.  You want it to output as fast as possible  
to reduce packet processing latency.  (Unified is fastest).  By having  
Snort do direct database inserts, Snort has to "stop" being an IDS,  
and do an INSERT on the table.  It's not a big problem by itself, but  
if you are alot of inserts at the same time, you will drop packets.

J


------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users