Snort mailing list archives
Re: Homebrew Snort Reactive/Unified2 output
From: Korodev <korodev () gmail com>
Date: Thu, 7 Apr 2011 10:09:21 -0500
It is my opinion that you are better off spooling off of U2 files. Given what you describe, you would not be reacting in real-time anyway and packets have already made it through, regardless of reacting using an output plugin or spooling off of U2 files. The obvious benefit of spooling off of U2 files is that it's snort version independent and does not require you to patch / maintain changes to the snort source every time a new version comes out. Just my .02 JJC
Thanks for your input. I'm thinking spooling off U2 files in the end will probably be the best solution, but I would like to experiment with the output plugin. However, the common polling approach when dealing with the U2 files won't work very well to achieve the desired goals, so I'll have to implement some sort of async solution using kqueue or something similar in FreeBSD. \\korodev ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Homebrew Snort Reactive/Unified2 output Korodev (Apr 07)
- Re: Homebrew Snort Reactive/Unified2 output beenph (Apr 07)
- Re: Homebrew Snort Reactive/Unified2 output JJC (Apr 07)
- Re: Homebrew Snort Reactive/Unified2 output Korodev (Apr 07)
- Re: Homebrew Snort Reactive/Unified2 output JJC (Apr 07)
- Re: Homebrew Snort Reactive/Unified2 output beenph (Apr 07)