Re: [Snort-users] Alerting unified or (fast) ASCII?

This is a discussion on Re: [Snort-users] Alerting unified or (fast) ASCII? within the Snort forums, part of the System Security and Security Related category; Matt, Matt Kettler wrote: > At 09:50 AM 10/20/2004, Edin Dizdarevic wrote: > .... > > Unified will ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] Alerting unified or (fast) ASCII?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-20-2004
Edin Dizdarevic
 
Posts: n/a
Default Re: [Snort-users] Alerting unified or (fast) ASCII?
Matt,

Matt Kettler wrote:

> At 09:50 AM 10/20/2004, Edin Dizdarevic wrote:
>

....
>
> Unified will allow snort to handle a significantly larger load, as
> most of the data is written out in the raw binary format it appears
> in the IP packet. ASCII mode logging reuqires some additional
> translation.

Allright, I assumed that isn't really that much work to do.
Obviously the effort is far not negliable. :(

>
>> After all a second by instance for alerting (besides logging) is
>> needed.
>
>
> Ahhh, but here's where you're missing something. The fact that
> barnyard is used does not speed up long it takes to get alerts
> written into a textual format. However, it removes the ascii
> conversion from snort's time-critical packet capture process. This
> greatly reduces packet drop rate.

Yes, but it consumes system ressources, memory and cpu cycles.
Especially if more than one alert has been triggered by will try to
process the previous entry during the same time another alert may occur.
I'm not that good in programming but by's file access should be
non-blocking otherwise it may hinder Snort. I suppose that is anyway the
case.

>
> The overall CPU consumption is the same, but the time-critical path
> is much shorter in the unified/barnyard case.

Good to know. I already thought the effort writing start scripts for two
by instances has been useles ;). On the other side I experienced no
packet at all drops the on the 100Mbit line since (in spite of Arkeia).


Regards,
Edin

--
Edin Dizdarevic


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourna...uidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:58 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0